The FBI has issued a warning to schools: Protect student data on edtech and other online platforms, or risk having it stolen and sold on the dark web.
Instructional and administrative edtech products collect extensive data including:
– personally identifiable information (i.e., names, Social Security numbers
– biometric data (i.e., fingerprints)
– students’ geolocation
– academic progress reports
– behavioral and medical information
– web browsing history
– IP addresses
Malicious use of sensitive data could result in identity theft, targeted cyberattacks on children and their families, bullying, and physical tracking, the FBI warns.
“Protecting the privacy of student data is a fundamental responsibility of every school system” says Linnette Attai, author of Student Data Privacy: Building a School Compliance Program and project director for the Consortium of School Networking’s Privacy Initiative.
“It’s incredibly complex, but it has certainly been on the radar of school systems for many years now.”
Financial information, such as credit card numbers, is typically most valuable, but Social Security numbers and health records can also net a hacker a nice profit, says Girard Kelly, counsel and director of privacy review at the nonprofit Common Sense Media.
Dark web risks
The special software that hackers and site operators use to access the dark web’s network allows everyone to remain anonymous and untraceable.
These sites are also hidden from the mainstream internet. Hackers and criminals take advantage of the dark web’s anonymity to traffic weapons, drugs and sensitive data.
Student records can be sold off to companies looking to target specific demographics for their products, says Kelly.
The price depends on the quality: Individual Social Security numbers often sell for $1, while bundled medical records—which can be used to create fake IDs, buy drugs or file fraudulent insurance claims—may fetch up to $1,000, according to Experian.
Student data may end up on the dark web if an edtech vendor is breached or if a hacker targets the school itself.
The K12 Cybersecurity Resource Center recorded nearly 400 cybersecurity incidents at schools from January 2016 through October 2018. However, these are only the incidents that have been reported, and there are likely many more that have occurred.
“Schools are a huge target” Kelly says. “Schools are resource-strapped and don’t always get tech funding, so systems aren’t patched or upgraded, and there may be no IT support managing them.”
To prevent exposure on the dark web, administrators should assess their policies and practices on collecting, managing and sharing student data, both digitally and on paper, says Attai, the author. These efforts should be explained clearly to parents, she adds.
Administrators must know about all the applications, legacy systems, services and other technology in their schools to better see where to target resources for data protection, Kelly says.
Sometimes, a third-party solution can help with this ongoing work. “There are always going to be bad actors looking for unpatched systems or data available online” he adds.
Not collecting students’ Social Security numbers can significantly reduce risk, Attai says. District leaders should also vet vendors carefully, and ensure contracts demand strict data protection.