My jaw dropped when I came across School Board Member Cindy Stuart’s comments from the July 30, 2019 Hillsborough County Public Schools (HCPS) board meeting.  Given what I know from years of research on student data security, her comment swirled around in the back of my thoughts for a few weeks after reading the meeting transcripts.  Then I remembered something that sent chills down my spine.  But before I mention that something here is a little background.

During that school board meeting, Cindy Stuart brought up the district’s mainframe computer in the midst of a brief discussion on data security and stated: “We were about to shut the whole thing down for the RNC”.  The assumption here is that there was a security problem in our own school district server that was problematic for the Republican National Committee (RNC).

The Republican National Convention was held in Tampa in 2012 when Ms. Stuart was running as a candidate for Hillsborough County School Board.  In 2016 the nation was in a tizzy over Russian interference in the U.S. elections.

Did Ms. Stuart mean the Republicans were concerned about the security of the school district server in 2012 or in 2016? Not sure, but she did sound concerned about the security of the mainframe (which presumably held significant amounts of personal student data) even though she does not provide details.  Why would the security of a school district server be relevant to the RNC? Confused? I’ll explain my thoughts.

The something that I remembered was an article about “Russian” Florida hacking that wasn’t actually by Russia.  The hacking came from Morocco.

In 2017 the Miami Herald published an article that EVERY SINGLE PARENT in Florida needs to read.  It provides insight into the massive edu-hacking problem and explains why school districts are targeted by groups like the Moroccan hacker group MoRo.  That group hacked “at least” four Florida school districts two months before the 2016 U.S. presidential election.  Three of those at least “four” school districts remain unnamed.   The Miami Herald article explains:

“That appears to have been one of the principal motivations for the hackers who sent malware to Florida school districts last fall — the promise of thousands of untarnished Social Security numbers.”

But here is the connection to why political parties would be concerned: “The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.”

“The hackers had been able to turn off the logs recording who entered certain computer systems and what they did while logged on. That made it difficult for the UDT analysts to know, with total certainty, what the hackers had done. It was a sophisticated maneuver that Sanchez and his team had never seen before.” [Emphasis added]

The statement that this was a “sophisticated maneuver” is questioned in this CSO article that seems to rightly challenge that assertion: “Silly me, I thought disabling logging was fairly common if a hacker doesn’t wanted busted immediately.”

Even more importantly the author “Ms. Smith” elaborates:

“Yet, if the hackers remained inside the systems for at least three months, that seems to be more than an “attempted” hack. Attempted, perhaps, pertains to stealing the personal information of hundreds of thousands of students and then selling the Social Security numbers on the dark web.”

Your child’s student data might include sensitive information (behavioral records, medical records, psychological evaluations, etc.).  You do not see all the data (and metadata) collected on your children by third party companies the district has contracted with to do their job by digitally assessing, testing, recording student data often without your consent.  How much data? One Learning Management System (LMS), Canvas, reportedly held more than this college student could have “ever imagined”:

When the file did arrive, it contained more information than he had ever imagined.

“It was something like 400,301,000 individual data points about me,” said Short.

The information that was gathered on Short went well beyond test scores and basic analytics. It included details about how he used his mouse, how he interacted with the learning system and when he did it.” [Emphasis added]

Even if the security of this private information is not important to the parent, it will be to the child who grows up to discover his pristine credit records were tarnished because of edu-hacking well before he had a bank account.  And that doesn’t even begin to address all the other potential issues that could arise from the hacking or sharing of data from childrens’ EdTech accounts: threats, records getting changed, pranks, exposure of sensitive records, and adversity scoring for college admissions.  Some private student information, if released (accurate or not) or maliciously altered, might impact the acceptance of students to their college or employer of choice.

Don’t fool yourselves.  Student data isn’t stored in an impenetrable box in the sky protected by some magic dust.  People make mistakes (securing the data, developing software, and assigning kids bad passwords).  Vulnerabilities are found and data gets breached, hacked, or ransomed in a private server or in the cloud – it is as simple as that.  I think the Miami Herald articulates this point well.

What does this have to do with Hillsborough Schools: maybe nothing, but maybe not nothing.

On July 30, 2019 our school board (HCPS) voted to adopt the EdTech platform Canvas.  Canvas replaces Edsby and is a cloud platform.  Canvas touts the sheer size of student data they hold.  Below are two quotes from Dan Goldsmith, the former CEO of Instructure (Canvas’s parent company), in an investor’s conference from March 2019.  The first was found in the Washington Post:

“We have the most comprehensive database on the educational experience in the globe. So given that information that we have, no one else has those data assets at their fingertips to be able to develop those algorithms and predictive models.” [Emphasis added]

And another quote from that investor meeting found here:

“Our DIG initiative, it is first and foremost a platform for ML [Machine Learning] and AI [Artificial Intelligence], and we will deliver and monetize it by offering different functional domains of predictive algorithms and insights…” [Emphasis added]

Machine learning can attempt to do things like predict future performance of students based on existing data.  What happened to the resilience of the human spirit and mind that often result in very unpredictably successful outcomes after a bumpy start? Will documented outcomes from machine learning results stigmatize and mark an early underachiever? The point is there is a lot of student data being collected and analyzed and potentially subjected to ML or AI in order to create new data on students.  The FBI even warned in 2018 about how much and what kind of student data, when collected electronically, is at risk.

Cindy Stuart, now running for Hillsborough County’s Clerk of Courts, did make that strange and curious statement in the July 30, 2019 board meeting that should raise questions and disturb every parent in the district who has kids in the school system.  Here are her comments:

“…I’ve been here seven and a half years and I remember touring the main frame room and practically got hives when you told me what was going on in there because that is my background.  And it wasn’t good.  We were about to shut the whole thing down for the RNC.  It was not pretty.” [Emphasis added]

She didn’t stop at “…it wasn’t good” or even that it practically gave her hives, she went on “It was not pretty”. What did Cindy Stuart mean with this alarming commentary?  What “RNC” was she referring to?

The timing of the 2016 Republican National Convention was pretty darn close to “Two months before the U.S. presidential election” when “international hackers slipped into the computer systems of at least four Florida school district networks” (Miami Herald)

Was our district one of the “at least” four? It is hard to know when the school district’s answers to my questions about data security have on more than one occasion left me concerns and questions when I wasn’t provided clear answers, hence, the stonewalling reference.

On July 18, 2020 I emailed Cindy Stuart for a statement regarding her comments above.  I have not received a reply at the time of this posting.  I also asked Ms. Stuart:

“Please clarify who or what you are referring to as the “RNC”? 

 Was this comment referring to the 2012 or 2016 Republican National Committee or Convention? 

Can you please elaborate specifically on what “was going on in there” [in the mainframe room] and why it was so concerning?”

In another case I requested emails from the school district regarding data breaches, public records, and the response was:

“preliminary estimated cost for information technology resources for your request of email communications between the dates you specified is $2,514.59.” 

And that, my friends, did not include the cost to redact the emails.  In a simpler request this is what happened when I asked the district about data breaches:

“Can you please confirm if Hillsborough County District Schools or any of its vendors have ever experienced a data breach of HCPS student or employee data?” [Emphasis added]

The answer from Tanja Arja, now Hillsborough Schools’ Chief Officer of Communications:

“The district cannot attest to the history of all vendor’s security incidents.  Florida law however requires organizations to report data breaches (See Florida Information Protection Act of 2014) [FIPA].  Since the law was enacted the district has not been officially notified of a data breach of district provided data nor is the district aware of an internal student or employee data breach requiring notification.” [Hyperlinks and emphasis added]

Oh, my stomach turned at all the qualifying phrases in this statement and here is why:

Problem 1: Federal Student Privacy law (a.k.a FERPA) has no breach reporting requirement, the U.S. Student Privacy office only recommends reporting a breach of student data.  Florida’s privacy law, FIPA, does not require an institution “provide notice to the department of any breach of security” unless it affects “500 or more individuals in this state”.   How many student and medical data breaches are hiding behind that number (especially with the plethora of ransomware attacks on schools and medical clinics)?

Problem 2: They “cannot attest to …vendor’s security incidents” is shocking.  Under the federal student privacy law 99.31(a)(1)(B)(2) district vendors holding student data (as “school officials”) are required to be “under the direct control of the agency or institution with respect to the use and maintenance of education records”.  HCPS cannot attest…even when they hand over student data to vendors without parental consent?!

Problem 3: They did not answer the question.  My question used the wording “ever”.  It appears they are hiding behind a weak law that was not passed until 2014 (woefully late).   Further, state law says a breach “means unauthorized access of data in electronic form containing personal information.” If a hacker covered his tracks, as noted in the Miami Herald article, and one cannot validate if student data or “personal information” was accessed then is it a “breach”?  I think if a hacker was in the system and covered their tracks, you should not be assuming nothing was compromised. 

Problem 4: Even after 2014, they are not aware of “…student or employee data breach REQUIRING notification.” [emphasis added]   Were there any breaches of systems that did not require notification?

Problem 5: “Officially” notified.  Does this mean they get unofficial notifications of breaches that they don’t report?

I asked EVER and I got “since 2014” with a multitude of qualifiers.  Why can’t I get a straight answer when I ask the district IT questions dealing with security and data privacy?  I am a mom in this district who cares and has serious concerns about the safety and security of children.  This includes their identities, personal and private information, and future opportunities.  I am asking sincere questions.

Either HCPS is particularly adept at avoiding the clear intent of my question, as displayed in their answer reminiscent of Animal Farm’s Squealer, or they are really bad at communicating clearly.  If it is the latter, then the district might want to look closely at that situation and the confusion it creates for their concerned citizen and parent-customers:

I am tired of playing semantics and delayed response games with the district.  So now I will publicly ASK that district leaders please allay our concern with a clear answer to the following questions:

Has there EVER been a breach of HCPS district systems that affected any number of employees or students, regardless of whether it was determined by the district or authorities to have resulted in data being “access”ed?  Were all students and families notified in every case? Was Hillsborough County School District one of the Florida school districts hacked or infiltrated by the Moroccan hacking group MoRo?

Why are three of the “at least” four hacked school districts still unnamed?  My guess is that it comes down to Florida’s data privacy law.  If they cannot prove that data “containing personal information” was accessed or stolen because “hackers covered their tracks” then did the event qualify for the definition of a breach under the law?

The law is one thing, ethics is another.  Would it not be ethical to alert students and families of a possible student data hack if there is certainty someone did breach a system?  The escalating number of hacks and ransomware attacks on student and medical data where it is not always clear what data was accessed should concern everyone.

People are not infallible; they do make mistakes securing data.  People can be resourceful and determined, ingenuity isn’t limited to people with good intentions and unfortunately this is probably a characteristic that makes hackers successful in finding vulnerabilities.  The best way to protect your kids’ sensitive data is to push for limits regarding what schools collect and what school districts will allow (knowingly or unknowingly) their third party EdTech vendors to collect.  Once it is stored online, it becomes at risk for hacking or leaking.

I have called for action in a letter to several US Senators that was quoted in The National Pulse. The recommendations in that letter would help improve data security and student privacy.  One of which is to require all districts to have a “full time credentialed CyberSecurity and Student Privacy Expert”.  The other is to improve the state law that currently only requires reporting a breach when it affects 500 or more victims.  Another is to require training in state and federal privacy laws for all employees of a school district. The most important recommendation is to bring back the requirement to first obtain “student or parental consent”.  That requirement was removed from FERPA (Family and Educational Rights and Privacy Act of 1974) by the U.S. Department of Education in 2011.

I have reported more than one instance of apparent data breaches that affected several students, but according to the current 2014 state law, the victims do not have to be informed.  I have no knowledge about whether parents were told or if any investigation determined it was a verified data breach.  In one case I reported that very personal and identifiable student information was posted by a school district employee on a publicly available website.  The website was finally taken down.  In another case a tremendous amount of achievement and test data on an entire classroom appeared to have been posted on social media in a spreadsheet, and again, I reported and the tweet was removed.  Both of these events were discovered incidental to other research I was performing.  So, I wonder, how much more could actually be out there?

Under current law, it appears that if 499 student social security numbers were stolen then no legal requirement exists that students or parents be informed.  This, Florida lawmakers, is unacceptable.