—– By: Ann Costantino —–
A security flaw that made highly sensitive data available to password credential holders on a Baltimore County Public Schools portal is being worked through with the help of Microsoft, according to statement provided to The Baltimore Post by a spokesperson from the company.
“We’re working with Baltimore County Public Schools to help resolve their issue. We encourage customers to use best practices when configuring sharing settings unique to their needs and more information can be found here.” said the spokesperson.
On Wednesday, The Baltimore Post reported that a security flaw had been detected within a tool on the school system’s BCPS OneDrive portal by some parents and students who unintentionally discovered pages of test scores linked to students in some schools.
Some parents and students had noticed several files sitting on a main page within the Microsoft Office 365 application that is housed within a portal where students are able to access classes, grades and academic resources online.
Anyone with a password to the school system’s BCPS OneDrive portal, including students, parents, and staff members – numbering in excess of 200,000 users – would have had access to openly shared documents containing others’ personal student and staff member information, as well as some sensitive school system records.
It is not known how long the records have been open to thousands of students and employees and whether there was a larger scale breach of the data. The Baltimore Post immediately notified a school system information technology employee upon verifying some of the sensitive data.
Last month, Microsoft released a software update which included a new search bar function. Through that search bar, portal users could search for any school resource. But since numerous files had been saved by some school system staff so that anyone with a password could access them, even documents that were not intended for students or parents could be viewed.
The Baltimore Post found that among those documents were highly sensitive special education records, very detailed discipline and suspension records, as well as sensitive medical data for some staff members. Also found were pages of student ID numbers and home addresses, as well as state assessment scores for numerous students.
Among the records were also professional development materials and presentations on how to secure students’ data privacy.
The school system has not addressed the security vulnerability publicly with a statement. But the system’s interim superintendent, Verletta White, released a letter to staff members yesterday, providing instructions on how to save files so they are not available for all portal users.
“Microsoft Office 365, and particularly OneDrive, released a new feature on May 29, 2019, that allows for BCPS users (students and staff) to perform a search across the entire BCPS OneDrive system and return results for any files or folders that match the search. This means if a user has or does share files with ‘everyone,’ those files are now searchable by every user (students and staff). Attached, staff will find instructions to mitigate the effects of this Microsoft feature. ALL staff must follow these instructions. Any questions related to this may be directed to the Department of Information Technology…”
Most alarming, however, is the fact that school administrators were notified of the security breach days before it was reported by The Baltimore Post, and seemingly did nothing to secure numerous highly sensitive documents.
One industry expert exclaimed, “This is a colossal systemic failure of basic networking and security practices in a system already mired in numerous scandals. The fact that nothing was done to immediately secure the data when initially notified equates to gross negligence. The assertion that the breach was caused by a search bar appears misleading at best. It is evident from both the Microsoft statement and the interim superintendent’s statement that the breach is primarily due to improperly setting permissions on files stored by administrators and staff. This situation could have been avoided with proper planning, testing and training.”
Administrators had been notified of the vulnerability as recently as two days before the school system worked to resolve the error on Wednesday. Concerned parents reached out to The Baltimore Post when it was discovered the security concern had yet to be addressed. When asked whether attempts to remedy the issue had been made after the initial complaint, the system’s director of information technology did not respond.
Once verifying the security flaw, The Baltimore Post reached out to an information technology contact at Baltimore County schools on Wednesday night, prior to publishing the breach story. The system immediately took steps to secure its system.
As a result, on Thursday, students did not have access to the Microsoft OneDrive for completing schoolwork and homework. The lack of access interrupted some instruction and students’ abilities to complete and access assignments and final projects.
Principals sent messages to parents on Friday explaining the interruption was due to the release of Microsoft Office 365’s new search feature “which could pose a concern regarding data privacy.”
“In an abundance of caution, students did not have access to the BCPS OneDrive at school or at home yesterday.”
Baltimore County schools has been recognized for its commitment to students’ data privacy and security. Last month, the district received a renewal of the prestigious national Trusted Learning Environment (TLE) Seal.
According to the TLE website, certain criteria must be met in order for school districts to earn the seal:
- Leadership Practice: manage and collaborate with stakeholders regarding the use and governance of student data to inform instruction
- Business Practice: establish acquisition vetting processes and contracts that, at a minimum, address applicable compliance laws while supporting innovation
- Data Security Practice: perform regular audits of data privacy and security practices and publicly detail these measures
- Professional Development Practice: require school staff to conduct privacy and security training and offer the instruction to all stakeholders
- Classroom Practice: Implement educational procedures and processes to ensure transparency while advancing curricular goals
The district is among only 16 school systems in the country that have received the TLE Seal, the only district in Maryland. The Consortium of School Networking (CoSN), a professional association for technology leaders, awarded the district the seal twice, first in 2017.
A spokesperson for CoSN told The Baltimore Post on Thursday that data privacy is an ongoing issue and that the TLE seal is not intended to be an “end-all be-all,” the spokesperson said. “No one is perfect at data security, but it is a commitment to ongoing improvement and we need to see evidence of that ongoing improvement in order to have the seal renewed… It requires that districts look holistically at how they are protecting privacy and security… the program requires that there is an ongoing effort and commitment. It’s not that one gets the seal and sits back; it’s that one gets the seal and keeps going.”
As part of CoSN’s commitment in ensuring that school systems keep up with their data privacy goals, the spokesperson said that once Baltimore County schools has had time to completely secure its system, CoSN will reach out to administrators to discuss the recent data privacy concern.
Several Baltimore County school employees worked throughout the night on Wednesday to repair the data vulnerability. An information technology employee, grateful to have been notified, said, “Thank you for bringing it to our attention. We are all better off working together for our students, parents, teachers, staff, and citizens.”