Groton Central School District announced on Aug. 29 that it was one of over 13,000 school districts across the nation victimized in a security data breach that exposed student information.
The records of 846 students were exposed during the security breach, revealing the following information of each of the students: first names, last names, date of births, email addresses and student ID numbers. Some districts had all of the information above exposed, while others may have had one or two pieces of the information exposed.
According to the school district, the security breach occurred back in November 2018 when there was an unauthorized access of Personally Identifiable Information from Pearson Education’s AIMSweb 1.0 System, which was an assessment platform used by the school district for several years until the district stopped using it at the start of the 2015–2016 academic year. The Federal Bureau of Investigation discovered the security breach and notified Pearson Education of the breach in March 2019.
Superintendent Margo Martin said fortunately none of the email addresses that were exposed were activated, so they were unusable. Martin also said the district did not find out that it was one of the thousands of compromised schools was because it does not directly contract with Pearson Education.
“This region was a little unique in not finding out from Pearson, like other districts across the nation were finding out, because in our contract in New York we go through BOCES,” Martin said. “We are all in this region – 50 districts in this region – part of the [Central New York Regional Information Center] … and the way BOCES is structured, we go through them, they actually go through Erie 1 BOCES for this type of contract. Pearson was not willing to give it to the individual districts because they didn’t have a contract with us, they had a contract with CNYRIC.”
A Pearson Education official said let the BOCES contact the individual districts since more often than not they are the ones who house the data for the districts.
“In New York, as you know, it is a fairly unusual system, compared to a lot of other places in the country, where they have the BOCES in individual districts,” the official said. “There were some cases where we found where both the district had the account and the BOCES did, and so both were notified. Some were just through the BOCES, but even then, if the district called in or wrote in and asked Pearson if they had impacted students, we were letting them know at that point. But often when the BOCES is the contracted party…they’re the ones that keep the records, complete records of which districts were using the product when. So we relied on them to provide notifications to the districts.”
In addition to not directly contracting with Pearson Education, Groton Central School District’s data is housed in CNYRIC. Martin said prior to learning of the security breach on Aug. 28, the district reached out to Pearson to find out whether or not it had been subjected to the security breach.
“Initially, Pearson was saying, ‘No, you weren’t,’ because they didn’t see a contract with you because the contract was through CNYRIC,” she said. “So they were saying, ‘No, you weren’t,’ when technically you were, but they were looking at it in terms of the entities they had contracts with, not the individual district data.”
The official said Pearson Education preferred to leave it to the individual districts and/or BOCES to notify those that were affected.
“We want to obviously be thorough and transparent, which is why we did make notifications as quickly as possible as we got the report,” the official said. “But we also are cognizant that this is a sensitive situation and different districts and BOCES all have their own individual policies of how to notify the families and the schools that fall under there oversight. So we wanted to first go to the actual people who were contracted with us and let them know about it because in a lot of situations they then have a way they like to do notifications.”
“The other piece of this is because this is a retired system and older records in most cases, a lot of the people who were impacted are not actually current students or families. So we wanted the schools or the BOCES to be able to review the records and make that determination on who to notify themselves versus us going more abroad or sending out notifications out to the media, which could lead to these districts being overwhelmed by people calling in who were not actually impacted.”
Pearson Education no longer uses AIMSweb 1.0 system as it is an outdated software. In terms of why the information that was exposed was kept on the retired system, the official said the company keeps bits and pieces of the data, like first and last names, date of births, email addresses and student ID numbers, for certain uses while it removes the majority of the records.
“There are some pieces of data that are kept for historical comparison purposes…but a lot of it is deleted, and I think that is partially why when the data was accessed it wasn’t full records,” the official said. “They were able to access data fragments that were left or able to access even sometimes when they were deleted. So that’s why I think a lot of this data had been deleted or removed or archived, and that’s why there were not a lot of full student records that were in here.”
The Groton Central School District has taken steps to mitigate the exposure of the data, such as having a brand new firewall installed by CNYRIC and holding professional development courses on email phishing. Pearson Education is offering complimentary credit monitoring from Experian for one year to those impacted by the security breach.