Probable security breach may have compromised thousands of Lewis Palmer students’ data

Posted on by Dissent

Sherrie Pief reports:

Lewis-Palmer School District 38 officials are mum about the probability that a security breach related to its Infinite Campus platform may have compromised more than 2,000 students’ personal information.

Infinite Campus is a software program that stores personal and academic information about students in the district.

But wait… the district has known about a problem since September?

At a school board meeting on May 19th, a concerned parent asked the school board to fix the security breach immediately. The woman said district officials have known about the issue since the beginning of the school year.

And it gets worse:

After walking through the process with several students and parents using their accounts, Complete Colorado discovered that anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.

Read more on The Complete Colorado.

I wonder if any parents have filed complaints with the U.S. Education Department under FERPA. There’s no way all that information is directory info and it certainly should be protected.

And for the district to claim they won’t confirm or deny the vulnerability but anyone who exploits it is a criminal, well…. wow.  Maybe if someone sued them they would have gotten off the dime faster and gotten this addressed?

Update: The district posted this message on its web site:

Data Privacy

  • 05.25.16

    Protecting your student and family personal data is of utmost importance to LPSD.

    Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems. It appears one individual with legitimate access to our system, using the student portal, may have accessed a few middle and high student IC accounts.  The IP address for this individual was immediately blocked. The individual was unable to modify data or transfer data electronically. We will be contacting the parents of the students impacted.  If you do not receive a call by the end of the day, you can assume your child’s account was not impacted.

    We shut down student portal access to IC this morning.  We apologize for the inconvenience this will cause.  We had hoped to keep IC access for students up through June 1 so that they could view final grades.  Unfortunately, due to this possible breach, grades must be accessed through the parent portal.

    Additionally, Google accounts, where student user names could potentially be viewed, were shut down earlier this week.  Accounts will be upgraded and security will be enhanced over the summer.

    If you need assistance with your parent portal access please contact technology services at (719) 488-4700.

Category: Commentaries and AnalysesEducation SectorOf Note

5 thoughts on “Probable security breach may have compromised thousands of Lewis Palmer students’ data

  1. A point of clarification here. The article says “Google Apps for Education (GAFE), which is needed to connect to Infinite Campus”. IT also says “Zark did not want her children using GAFE because of the possible breach, which she believed compromised their privacy.” The issue is with GAFE not Infinite Campus.

    IC is a stand alone Student Information System that the district has chosen to configure GAFE to interface with. They are using the data securely stored in IC to populate GAFE and it is the GAFE data that is exposed.

    I suspect the problem is that the connection between GAFE and IC is using a non-encrypted URL containing a studentID that is visible in the URL and can be easily changed to another studentsID and submitted to GAFE.

    More info here: http://www.npr.org/sections/ed/2015/12/08/458460509/google-hit-with-a-student-privacy-complaint

    1. You may well be right. Either way, they have left a vulnerability unpatched or unremediated since the beginning of the school year, if the parent’s report is accurate. That’s not acceptable.

    2. This actually doesn’t sound like a GAFE or Infinite Campus issue – it sounds like sub-par username/pw selection assignment on the part of the district.

      This snapshot from the Wayback machine captures the IC login page on November 28, 2015: https://web.archive.org/web/20151128034002/https://campus.lewispalmer.org/campus/portal/lewispalmer.jsp

      To quote what is on that page:

      2013-08-09
      Students:
      Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix, Lp@ before your regular birthday password (i.e. Lp@032794). Additionally, you may change this password by entering Ctrl+Alt+Delete and then picking Change a Password. Changing your password this way ONLY works if you are logged into the school network, NOT from home.

      So, assuming that the message on that page actually was posted on 2013-08-09, that means that this security issue would have been in the wild for the 2013-2014 school year, the 2014-2015 school year, and the 2015-2016 school year.

        1. Yes that is correct. That was the password structure from the beginning and NOT until Sherrie Pfeif`s article in Complete Colorado was being done ( http://completecolorado.com/pagetwo/2016/05/24/probable-security-breach-may-have-compromised-thousands-of-lewis-palmer-students-data/ ) did the School district decide to have both Infinite Campus and Gmail accounts shut down to protect the kids. Right up until the article Parents concerns were ignored.

Comments are closed.