NC: UCPS student information made vulnerable due to insufficient security protections by vendor, superintendent says
WBTV Web Staff and Nick Ochsner report:
Private information of students at schools districts and charter schools across the state were left vulnerable by a software misconfiguration by a third-party vendor, Union County Public Schools Superintendent Andrew Houlihan told parents in a letter this week.
According to the letter, the misconfiguration came after iLeadr, a company used by multiple school districts and charter schools, stored records in a cloud-based storage container without sufficient security protections.
Read more at WBTV.
Incident First Reported to NC by DataBreaches
DataBreaches first reported the i-LEADR incident to North Carolina after reaching out via Twitter on July 22. The misconfigured blob had been discovered by a researcher who had contacted DataBreaches after finding it in routine searches. Neither the researcher nor DataBreaches could definitively determine who owned the blob. All we could tell for sure was that public school students in North Carolina were having their personal information exposed improperly.
Within hours of DataBreaches’ tweet requesting notification assistance, this site was contacted by North Carolina’s cybersecurity strike team (NCLGISA). The strike team is a group of volunteers who are all CIOs or deputy CIOs in local governments.
Within hours, they contacted DataBreaches again to report that they had conclusively determined the source of the leak and had already taken steps to get data locked down and appropriate entities notified.
What Did i-LEADR Do in Response?
But who was notified by i-LEADR? Did the vendor notify a single family or a single school district client?
Earlier this week, DataBreaches sent an inquiry to i-LEADR asking about their incident response and who they notified in states other than North Carolina. In hindsight, the inquiry probably should have also asked them if they had notified any client in North Carolina. Despite a second request, a reply has yet to be received to DataBreaches’ inquiries.
DataBreaches was aware that the blob reportedly had more than 700,000 folders being updated, but that does not mean there were 700,000 unique students. But it did indicate that there was a lot of data stored on that blob without adequate security.
As far as DataBreaches can determine, i-LEADR hasn’t disclosed the leak on their website. Nor has DataBreaches found any press releases or media notices.
Did i-LEADR have adequate logs to determine any access to the blob? When was the blob first exposed?
Is i-LEADR monitoring the dark web to see if any data show up for sale or free download?
i-LEADR is a signatory to the Student Privacy Pledge. One might have hoped for and expected more transparency from them.
North Carolina Responds
Kudos to North Carolina for their prompt response to DataBreaches’ notification to them. They have issued their own press release this week:
On the afternoon of July 22nd, DPI began investigating a report of potential data exposure with the vendor i-Leadr.com. This vendor was contracted directly with the impacted Public School Units (PSUs) and not through NCDPI.
As soon as NCDPI was notified, the agency worked promptly and activated the cyber incident plan working directly with NC Department of Information Technology (NCDIT) and other members of the Joint Cyber Task Force (JCTF).
Together the agencies and impacted PSUs conducted a thorough investigation and took immediate actions to protect student data. Appropriate law enforcement agencies were involved with the investigation.
Because of the nature of the investigation, and in accordance with North
Carolina General Statute Section 132-1.4, NCDPI is not able to confirm which PSUs were affected. But NCDPI can confirm that respective legal counsels for any impacted PSUs were notified within the affected PSUs on July 25, 2022. To the extent that any notification is required, it will originate from the PSU to the impacted individuals.
There is Much We Do Not Know
Even though i-LEADR had not contracted with the state itself, North Carolina notified affected school district units in North Carolina and at least one affected PSU, Union County Public Schools, decided that notifications to parents were required. That district also stopped using I-LEADR’s services after they became aware of the incident. Did any other districts notify parents? Did any other districts stop using i-LEADR? DataBreaches does not know.
The Superintendent’s letter does not indicate when the blob was first exposed without security. Were they given that information by i-LEADR? Does i-LEADR even know?
Did i-LEADR reach out to its clients to alert them to this incident? We do not know and i-LEADR did not respond to inquiries. Were any districts in other states notified by i-LEADR?
DataBreaches sent an inquiry to the U.S. Education Department about this incident and to ask whether USED notified districts in other states or other states about this incident. No reply has been received.
Because i-LEADR signed the Student Privacy Pledge, maybe the Future of Privacy Forum, The Software & Information Industry Association (SIIA), and those involved in advocating for greater security and data protection in EdTech such as K12 Six should investigate this incident and determine whether i-LEADR’s data security and incident response are compatible with best practices or not.
Article edited post-publication.