« How Many of the Most Influential People in Ed Tech Are Working Educators? | Main | Here's What an Update of a Key U.S. Privacy Law Could Mean for Schools »

Audit: Maryland Dept. Did Not Properly Store Data for 1.4 Million Students


The Maryland State Department of Education "inappropriately stored" personal information of 1.4 million students and more than 230,000 teachers, leaving them vulnerable to potential bad actors, according to an audit published earlier this month.

"As of June 29, 2018, we determined that separate databases for statewide student and teacher identity information held 1,430,940 unique student names and social security numbers and 233,130 unique teacher names and [social security numbers] respectively; all stored in clear text," the audit said. "In addition, we noted that this sensitive PII was not adequately protected by other substantial mitigating controls such as the use of data loss prevention software."

Such personally identifiable information is commonly associated with identity theft, the report said, although it did not draw the conclusion that any of the information fell into the wrong hands.

The audit, which was published by the Maryland General Assembly, found that the state did not make sure that critical applications and systems were protected against potential security risks. The state also did not have a complete information technology disaster recovery plan, the report found. And it found that the state's malware protections were not up to snuff.

That means certain servers were running on outdated and no-longer-supported operating systems, and a number of computers hadn't been updated with the latest release of software products that were known to have serious security-related problems, the audit noted.

The auditors recommended that the state perform a manual inventory of all its systems and delete all unnecessary personally identifiable information, plus use an encryption method to make sure the information is secure. And they asked the state to review agreements with contractors to mitigate security risks. In a response included with the audit, the state agreed to take both steps.

Cybersecurity is continually identified as a top concern, not just among state education officials but among chief technology officers. More in this story, from Education Week Marketbrief.

Don't miss another Digital Education post. Sign up here to get news alerts in your email inbox.

Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on edweek.org, you can post comments. If you do not already have a Display Name, please create one here.
Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.

Follow This Blog


Most Viewed on Education Week



Recent Comments