Lewis-Palmer School District 38 officials are mum about the probability that a security breach related to its Infinite Campus platform may have compromised more than 2,000 students’ personal information.
Infinite Campus is a software program that stores personal and academic information about students in the district. Many districts use the system, but those districts are free to decide how much information is accessible to parents and students online.
Many districts only allow access to grades, attendance, and schedules. Lewis-Palmer extends the information to highly confidential personal information.
At a school board meeting on May 19th, a concerned parent asked the school board to fix the security breach immediately. The woman said district officials have known about the issue since the beginning of the school year.
Melinda Zark told the board that in the fall she spoke to the district’s top two information technology staff members and her children’s principal about the issue with Google Apps for Education (GAFE), which is needed to connect to Infinite Campus.
GAFE is a hosting solution by Google to incorporate Google mail, calendar and chat services. Student emails in the district use the student’s ID in an @lewispalmer.org format. And school officials say there are no other options right now – although they do issue email accounts to employees and board members using their names.
Zark did not want her children using GAFE because of the possible breach, which she believed compromised their privacy. She said she was told there was nothing the district could do about it.
Zarkdid not give specifics about how the breach worked, but several other parents and students came forward to Complete Colorado with examples, using their own accounts to demonstrate the problem.
After walking through the process with several students and parents using their accounts, Complete Colorado discovered that anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.
To protect the students and families in Lewis-Palmer, Complete Colorado will not release specifics about how the compromise works. However, Complete Colorado is reporting on the breach because as of press time, Lewis-Palmer had not notified district parents that a breach may exist.
After several tests, it is possible for anyone to access student records with very little information, and without the consent or knowledge of a student whose information was accessed.
“You have a lot of computer experience,” Zark said to Lewis-Palmer School District 38 Board of Education President Mark Pfoff, who is a former police detective specializing in cyber crimes and computer forensics and now runs his own cyber security firm. “If you would be willing to please take a good look at what’s happened, I would really appreciate it. I have a lot of information here that I don’t want to have. I’m very upset that this has been out here for so long. Please shut this down and discuss how you can make this better for all the students.”
When contacted for comment, Pfoff refused to discuss the situation, saying he would not confirm or deny there was a problem. He did comment, with what was perceived to be a threat, that anyone with the knowledge of how to “hypothetically” hack into the system was in violation of the law.
“If I answer that question, I will be verifying there is an issue,” Pfoff said. “I’m not going to comment on something that is or is not an issue. But understand this, if people have found a security issue, and they are exploiting it, they are breaking the law.”
It appears the district is attempting to fix the problem, albeit slowly and under the radar.
Sometime since Thursday’s school board meeting, one step in the access process was disabled. And on Tuesday, an email went out that included the following notice: “Student GAFE (Google) accounts have been disabled for the summer. The summer is an important time for conducting system maintenance and security upgrades on our student technology accounts.”
However, there was still was no mention of a possible breach, and the email said access to the accounts would be available until June 1. And access to thousands of accounts by complete strangers may already have occurred.
During the meeting on Thursday, board member Sarah Sampayo was the only board member to recognize the concern. She brought it up as the district was discussing two new policies that deal with privacy and cyber rules. One policy asks parents and students to sign a waiver stating they understand there is no expectation of privacy when they use district technology, and the other protects the district against unauthorized use of its technology that may cause harm to a student.
“There is obviously something out there that she wasn’t comfortable explaining live,” Sampayo said of Zark’s comments.
Sampayo questioned the district’s technology director, Liz Walhof, about whether the district planned to make changes to the Gmail accounts.
“How easily accessible is that uniquely identifying [student identification] number to the vast community,” Sampayo asked. “And is our kids’ information then protected because you can then log in … with just the kid’s ID number.”
Walhof said they continue to look into better formats, but added that right now it is not possible to issue an email without using the student’s ID number.
“I will tell you that issues we’ve been made aware of — when we determine if there is a problem — yes, we’re going to rectify those issues,” Pfoff said.
Send us tips at CompleteColorado@gmail.com.