Sherrie Pief reports:
Lewis-Palmer School District 38 officials are mum about the probability that a security breach related to its Infinite Campus platform may have compromised more than 2,000 students’ personal information.
Infinite Campus is a software program that stores personal and academic information about students in the district.
But wait… the district has known about a problem since September?
At a school board meeting on May 19th, a concerned parent asked the school board to fix the security breach immediately. The woman said district officials have known about the issue since the beginning of the school year.
And it gets worse:
After walking through the process with several students and parents using their accounts, Complete Colorado discovered that anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.
Read more on The Complete Colorado.
I wonder if any parents have filed complaints with the U.S. Education Department under FERPA. There’s no way all that information is directory info and it certainly should be protected.
And for the district to claim they won’t confirm or deny the vulnerability but anyone who exploits it is a criminal, well…. wow. Maybe if someone sued them they would have gotten off the dime faster and gotten this addressed?
Update: The district posted this message on its web site:
A point of clarification here. The article says “Google Apps for Education (GAFE), which is needed to connect to Infinite Campus”. IT also says “Zark did not want her children using GAFE because of the possible breach, which she believed compromised their privacy.” The issue is with GAFE not Infinite Campus.
IC is a stand alone Student Information System that the district has chosen to configure GAFE to interface with. They are using the data securely stored in IC to populate GAFE and it is the GAFE data that is exposed.
I suspect the problem is that the connection between GAFE and IC is using a non-encrypted URL containing a studentID that is visible in the URL and can be easily changed to another studentsID and submitted to GAFE.
More info here: http://www.npr.org/sections/ed/2015/12/08/458460509/google-hit-with-a-student-privacy-complaint
You may well be right. Either way, they have left a vulnerability unpatched or unremediated since the beginning of the school year, if the parent’s report is accurate. That’s not acceptable.
This actually doesn’t sound like a GAFE or Infinite Campus issue – it sounds like sub-par username/pw selection assignment on the part of the district.
This snapshot from the Wayback machine captures the IC login page on November 28, 2015: https://web.archive.org/web/20151128034002/https://campus.lewispalmer.org/campus/portal/lewispalmer.jsp
To quote what is on that page:
So, assuming that the message on that page actually was posted on 2013-08-09, that means that this security issue would have been in the wild for the 2013-2014 school year, the 2014-2015 school year, and the 2015-2016 school year.
Interesting. Can any parent comment on whether that’s still the password structure and system?
Yes that is correct. That was the password structure from the beginning and NOT until Sherrie Pfeif`s article in Complete Colorado was being done ( http://completecolorado.com/pagetwo/2016/05/24/probable-security-breach-may-have-compromised-thousands-of-lewis-palmer-students-data/ ) did the School district decide to have both Infinite Campus and Gmail accounts shut down to protect the kids. Right up until the article Parents concerns were ignored.