This week we’ve seen news of a major breach of users’ data from an online service run by VTech. What sets this one apart is that personal information was stolen from hundreds of thousands of children’s accounts, associated with some of the millions of adult accounts that were also compromised.
Here is what Troy Hunt had to say about the severity of the breach:
“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.”
When I read this paragraph, head nodding, I thought of the running list I keep of my own kids’ identifiable personal information I’ve been able to gain unauthorized access to through remote attack vulnerabilities in online services used at their schools. (A remote attack is something that does not require access to the user’s network traffic, and can be done from anywhere).
The list is below. I was able to collect all of this by exercising flaws in web pages and interfaces in the education-related services that hold my kids’ information. It wasn’t all in one place like the VTech information but goes far beyond what was held there.
- full name
- date of birth
- in-class behavior records
- reading level and progress assessments
- math skill and progress assessments
- in-class test and quiz scores
- report cards
- ability to send private message to a student through an app
- voice recordings
- usernames (some with passwords)
- password hashes
- school lunch assistance status
- name and address of school
- teacher name
- classmate names (through class rosters)
- class photos with students labeled by name
- parent email addresses
- parent names
- home address
- home phone number
My kids are still in elementary school. Simply by going to school they’ve already had all of this information exposed to the possibility of unauthorized access and collection.
I don’t have knowledge that any of this information has been subject to unauthorized access — but the only difference between a responsible disclosure and a data breach is the ethics of the person who finds the vulnerability. Most of these vulnerabilities exposed many thousands of students to potential breaches, some of them exposed millions of students to potential breaches of their personal and educational information.
This is a system-wide problem that educators, parents and technology providers must work together to address. Things are improving but we have a long way to go. Here are some previous posts on that topic: