BOULDER COUNTY, Colo. -- Boulder Valley School District parents started to receive letters in the mail this week about a data breach affecting numerous students.
Boulder Valley was one of 13,000 districts and universities affected by a hack into the Pearson PLC education software company that affected as many as 60,000 students.
The information that was released was limited to the student’s first and last name and date of birth. Pearson says there is no indication that the data has been used.
Details of the data breach
The breach happened in November 2018, however Pearson didn’t find out about it until this March, when it was notified by the FBI.
Boulder Valley Schools said it was informed that its students were affected by the breach this month and the district started sending out letters to parents last Friday, which Pearson paid for. The letters were sent out only to the students who were affected.
“The delay in them, Pearson, telling us is because there’s an ongoing FBI investigation and with that investigation only so much information could be shared,” said Andrew Moore, the district’s chief information officer.
Current and former students as well as homeschool families who are affiliated with the district were all affected by the breach, including Moore’s own daughter, who recently graduated college.
The Pearson breach happened through its AIMSweb 1.0 system, a tool used in schools to track the achievements and progress of students over time.
Boulder Valley already upgraded from the version of the system that was breached, something that was planned even before the hack.
The district shared some data with that company through its Infinite Campus student information system.
“Infinite campus has every student that has been here for quite some time. There’s a lot of data in Infinite Campus, just like every other school district across the country,” Moore said.
Parents are required to register their child’s information into the program for the school, regardless of which school they attend. That’s why some homeschooling parents whose children didn’t use the AIMSweb 1.0 system were affected.
“I think any company that has a data breach needs to step up,” Moore said.
He is not defending Pearson but the district is also not planning on scaling back cooperation with the company.
Concern from parents
Florence Bocquet is one of the BVSD parents who received letters for her two sons about the breach. Bocquet’s two young sons rarely receive letters and, not knowing what the letters were, she let them open the letters.
“I was like, 'Oh kids you have mail it’s probably exciting,'” she said.
Quickly after the letters were opened, however, Bocquet realized how serious the contents were and what they could potentially mean for her sons.
“I could not believe what I was reading and what is also the Pearson AMS web 1.0? I did not know,” Bocquet said.
She’s worried about how the data could be used, whether it could help would-be thieves find and steal other information from her sons and how she will find out about it.
Since the letters have gone out, Boulder Valley has received phone calls and emails from about 20 parents who are concerned about the security of their children’s data.
Anna Segur is one of those concerned parents. Segur received three letters from the district this week informing her about the data breach, one for each of her kids.
“As a parent, I never consented for this company to have access to my children’s data,” Segur said. “I think the data should belong to the parents, not the school district.”
Pearson has offered parents of affected students one free year of credit and identity monitoring for the breach through Experian Identity Works.
However, Segur is not planning on signing her children up for that service since it requires her to provide even more personal information about her children to a third-party company in order to receive the service.
Rachel Cohen is also very concerned with the data breach but says it’s not totally unexpected. Cohen is a mother of five children who range in age from 2 to 12; she homeschools four of them.
“It’s a beautiful thing to have technology but we need to be careful,” Cohen said. “I would rather us be a little less efficient and a little more cautious.”
Prior concerns
Pearson is not the only third-party vendor the district works with and shares some student data with. According to the district’s website, it works with more than 100 vendors that have signed its data protection policy.
This fact has caused concern among parents like Segur, Bocquet and Cohen for years.
There has been so much concern about student data privacy in the district, in fact, that parents created a Facebook page solely dedicated to that topic. The group has nearly 400 members.
Cohen tried to opt her five children out of BVSD’s data sharing numerous times but was told by the district that the opt-out option is strictly limited to technology used in the classroom and whether or not parents want their children to have access to computers.
She didn’t want her children’s information to be placed into the Infinite Campus system but was told it’s not optional for students affiliated with the district. She wants the district to be more open about which vendors it is giving data to, what data is being provided and how it is being used.
“Not having transparency about it going to all these vendors in this way is not sufficient,” she said.
Cohen says she has been bringing up these data privacy concerns with the district for about five years. Bocquet and Segur have each been voicing their concerns with the district for about three years.
They have written the school board, filed complaints with the district and even reached out to their state lawmakers about the need to protect student privacy. They also created an online petition for something to be done.
“I think the district has kind of played fast and loose with children’s data not concerning with whether the parents want to share that data but doing what’s convenient for them without consent of the parents,” she said.
Segur’s interest in the issue started when her son, who was in the third grade at the time, started coming home and telling his mother about all of the games he was able to play on the computer, including some that involved violence or had chatrooms where the students could talk to complete strangers.
“I just assumed that the school district was doing the right thing. You send your kids to school, the schools are safe,” Segur said. “Then I kind of discovered it’s the Wild West.”
Since then, the district has gotten a new superintendent and changes have started to happen. Boulder Valley Schools says this summer it added new filters to keep students from using things like Netflix and Hulu and to block certain ads.
However, Cohen says she would like more flagging systems to be put in place and for parents to be able to opt their children out of certain things as they see fit.
“Every time I see a new permutation of the agreements that parents are supposed to sign or students are supposed to sign, they tend to err on the side of protecting the district against the students and most of the liabilities are shifted to students and families,” Cohen said.
What the district is doing
Like every other school district, Boulder Valley Schools relies on computer systems to keep track of its students through a variety of systems.
Moore has heard the concerns of some parents who would like to see an opt-out system but says right now, something like that is not possible.
“It’s not a simple thing of just saying, 'OK, I don’t want my data into Infinite Campus, I don’t want my data in any Pearson tool,'” Moore said.
The district says it is following state and federal law to protect the privacy of students.
Beyond that, it has taken steps to protect student data like adding two full-time staffers whose only job is to focus on data security. Those employees are also undergoing even more training for how to protect district data.
However, as technology evolves, Moore says the district will have to continue to do the same to keep up with the changes. He says the district is regularly reviewing data privacy and taking proactive steps to keep students safe.
“Cyber security threats, whether it’s malware, ransomware, viruses, is a huge thing for us and we are continuing to put procedures in place,” Moore said.
In the end, there are no easy answers for how to protect private information in an increasingly connected world that relies on the internet.
For now, it’s up to the district and parents are trying to find way to protect their children from the dangers of data breaches.