The Lewis Palmer School District data security vulnerability and breach continues to concern parents, and I had updated my original post with some observations by Bill Fitzgerald. Now Bill has written his own post on the situation. Giving myself unbridled permission to quote liberally from his thoughtful write-up, here’s part of it:
At the 5/19 school board meeting, a parent shared her experience speaking with the district IT staff. In her public comments, she shared talking with school officials in the fall of 2015 about some of her concerns. The testimony begins at the 53:40 mark of the video. In her testimony, it appears like the student’s login id to Google Apps is the same as their student ID. Therefore, based on how Google Apps works, student emails would also be student IDs, thus ensuring that kids in a class know everyones login ID.
I’m concerned that children are having to log into GAFE with their student ID numbers. And I was told that is just the way it is.
At this point, it’s worth noting that just knowing someone’s login ID is not sufficient to gain access. If, however, passwords were known, then that is a serious privacy issue.
And, it appears that the Lewis Palmer School District used birthdays as passwords, and announced this online from at least September 24, 2013 to March 14, 2016.
Read more on FunnyMonkey.
To be clear, Bill is hypothesizing as to what might have happened and how it happened, but his analysis makes sense. What doesn’t make sense is why the district didn’t address the issue. Yes, it’s time-consuming and inconvenient to re-assign credentials, but given the risks of not doing this properly, and the amount of sensitive information that could be obtained by a curious peer or parent, the situation demanded an effective response. Allowing the situation to continue with the vulnerability strikes me as wildly inconsistent with any claims to care about privacy and data security.