A Maryland General Assembly audit found that the state's education agency did not adequately store the personal information of 1.4 million students and more than 230,000 teachers. The information in question included names and social security numbers, Education Week reports.
The audit shows that the Maryland State Department of Education did not take proper precautions to ensure that applications and systems were protected against potential hackers. The state also lacked an IT disaster recovery plan and malware protections were not adequate.
Some servers were running on outdated operating systems that are known to have serious security risks. The auditors recommended that the state scrub the system of sensitive information and encrypt whatever is left to be sure it is secure.
As education systems collect more data on students and faculty, the risks of data breaches are greater. Earlier this month, for example, K12.com, a nationwide virtual school, exposed 7 million records containing student information accessible to anyone who happened to stumble on it online. The information included names, email addresses, ages and birthdays.
Meanwhile, the education system remains a top target of hackers looking for large batches of valuable personal information because schools sometimes lack the resources to keep the information secure. The FBI issued a warning last fall that specifically suggests targeted attacks are possible on K-12 student data due to the rapid growth of education technology and student data collection. If student data is compromised, they could become victims of identity theft, bullying or tracking. The FBI urges all the agencies that collect student data to ensure a solid cybersecurity plan.
In addition, civil rights groups and security experts are expressing concern and questioning whether schools are going too far in their data collection efforts. Florida is in the process of implementing a student database that will be full of information gleaned from social media, law enforcement and school districts. The ACLU, Southern Poverty Law Center and Electronic Frontier Foundation have all called the project an unnecessary mass surveillance effort.