Parmy Olson reports that while Pearson may be trying to implant the idea that 13,000 students were affected by its recently disclosed breach, the number may actually be much, much higher.
Allan Cunningham, the information-security officer for Washoe County School District in Nevada, said he learned from Pearson that the breach affected data of 114,000 students enrolled between 2001 and 2016 in his jurisdiction alone. For about half of those, information on their dates of birth was accessed. A cybersecurity administrator in another large school district estimated that in his region about 500 students were affected.
Read more on WSJ, and great thanks to Doug Levin for managing to work in my question to him on Twitter the other day:
Douglas Levin, president of EdTech Strategies, a security consulting firm for the education industry, questioned some of the security practices Pearson’s system used.
“If you’re building an information system for schools, you wouldn’t be placing personally identifiable info into a database like this,” he said. “You’d use a unique student identifier that did not have a name, email and birth date.”
Pearson said it was reviewing its systems.