Pearson data breach revives concerns about student privacy in Colorado

A security breach last year at the educational services company Pearson compromised the personal data of thousands of Colorado students.

Nationwide, the cyberattack affected 13,000 school and university accounts containing information on hundreds of thousands of students. The Pearson data breach took place in November 2018 but was only revealed this summer.

It’s not clear how many Colorado school districts are affected by the Pearson data breach, but Boulder Valley, Adams 12, and Thompson have all sent letters to families informing them of the problem and offering them a year of complimentary credit monitoring. Pearson has notified all the affected clients, but the company is leaving it up to school districts to notify parents in accordance with their own policies.

The risk to students is considered relatively modest. The unknown attackers obtained student names, birth dates, and in some cases, email addresses, but not Social Security numbers or financial information. There is no evidence so far that the information has been misused.

In its email to parents, the Thompson district characterized the information as similar to what appears in school directories and said the attackers did not get student passwords. Adams 12 said just 47 students had their information compromised, while Boulder Valley sent letters to parents of 60,000 students, the Daily Camera reported.

Stolen personal data has become an unfortunate fact of modern life, with everyday activities like shopping at Target or playing video games exposing users’ information. However, some parents are concerned about what the Pearson breach reveals about the vulnerability of student data.

Anna Segur, who has three children in the Boulder Valley School District, asked the Colorado Attorney General’s Office to look into data practices in the district because hundreds of vendors have access to student information and parents have very little idea which companies have access — and very little ability to consent to data sharing.

“There are unknown implications for children down the road, and they don’t even really know the impact,” Segur said. “It’s very concerning, and there needs to be much more oversight and regulation.”

A spokesman for the state attorney general’s office said officials there are aware of the breach and Segur’s letter, but declined to comment further.

Data privacy has been an ongoing concern in Colorado as digital assessments become commonplace. The State Board of Education has adopted strict policies to protect student information that some education advocates say go too far and prevent parents and community groups from understanding how well schools are serving vulnerable groups of students.

For example, when Colorado Department of Education releases data on test scores or discipline practices, it redacts information on small groups of students — as well as information on other student groups, in a practice known as complementary suppression — so that no one could work backwards toward information about individual students.

The Pearson data breach was first reported by the Wall Street Journal in late July. According to reports, the FBI notified the company about the cyberattack in March. Colorado school districts started sending out notices to parents in August.

Pearson publishes textbooks and produces educational software. The attack targeted the AIMSweb program, which is used to assess student academic progress and screen for certain learning difficulties.

“Pearson Clinical Assessments notified affected customers of unauthorized access to approximately 13,000 school and university AIMSweb 1.0 accounts,” Pearson spokesman Scott Overland wrote in an email. “The exposed data was isolated to first name, last name, and in some instances may include date of birth and/or email address. Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability.

“While we have no evidence that this information has been misused, we have notified the affected customers as a precaution. We apologize to those affected and are offering complimentary credit monitoring services as a precautionary measure.”