Maryland Security Audit Finds Vulnerabilities in Massive Amounts of Student and Teacher Data

• By Dian Schaffhauser
• 07/29/19

An audit of the Maryland State Department of Education (MSDE) by the state found a "number of deficiencies" with the agency's securing of data in its control that put massive amounts of student and teacher data at risk.

The state agency stored sensitive data on 1.4 million students and 233,000 teachers in its databases and applications "without adequate safeguards," according to the audit. The department also failed to ensure that applications and systems managed by outside vendors were appropriately "protected against operational and security risks." The audit found that MSDE also lacked a "complete" disaster recovery plan, had inadequate malware protection on its computers, ran outdated operating systems and had numerous computers running without the latest software patches.

The agency's IT operations are decentralized, running in several locations, including at the Department of Education's headquarters. Up until a few years ago, each of those operations ran as a "separate entity," with its own applications, network and disaster recovery plan. MSDE's Office of IT was responsible specifically for the IT operations within the headquarters. But starting in December 2015, the agency began converting the remote sites to use the department's IT support services as a centralized function, including network and IT security, the service desk, hardware and software support and IT procurement. The central staff also began taking control of a separate MSDE network that connected the remote sites to the headquarters.

Among the problems the audit uncovered were these:

• Certain personally identifiable data was being stored in clear text by the agency in "significant" applications; that included student and teacher names and Social Security numbers.

• Specific applications and student data were also being managed by third-party contractors without sufficient security. For example, the Division of Special Education put four grant agreements in place with a local university, which subcontracted to an IT service provider, to operate and maintain three applications. Each of those contained tens of thousands of records containing personal information, including names and Social Security numbers; yet none of the applications were included in a manual inventory done by the agency to identify its sensitive data and either scrub it or encrypt it.

• Also, the IT division's disaster recovery plan failed to adhere to state standards. The plan lacked "adequate details" on the priorities of applications for restoration and it hadn't been distributed to all the disaster recovery planning team members for "ready availability."

• In addition, the audit found 15 servers running old operating systems no longer supported by their companies, which meant they were vulnerable to new forms of hacks; and other computers were found running one "potentially vulnerable" program that hadn't been updated, in some cases for years.

The audit included numerous recommendations addressing each problem area, including doing an inventory of all sensitive personally identifiable information so that the latter could either be deleted if it wasn't needed or encrypted if it was; amending its existing agreements with contractors to cover more robust security controls; and to build out its disaster recovery plan to fit the state guidelines and then to test it.

The education agency in its response agreed with the findings for the most part and said it would take corrective actions.