Are UK teacher and pupil profile data stolen, lost and exposed?

While everyone is focused on #WannaCry ransomware, it appears that a global edTech company has had a potential global data breach that few are yet talking about.

Edmodo is still claiming on its website it is, “The safest and easiest way for teachers to connect and collaborate with students, parents, and each other.” But is it true, and who verifies that safe is safe?

Edmodo data from 78 million users for sale

Matt Burgess wrote in VICE: “Education website Edmodo promises a way for “educators to connect and collaborate with students, parents, and each other”. However, 78 million of its customers have had their user account details stolen. Vice’s Motherboard reports that usernames, email addresses, and hashed passwords were taken from the service and have been put up for sale on the dark web for around $1,000 (£700).

“Data breach notification website LeakBase also has a copy of the data and provided it to Motherboard. According to LeakBase around 40 million of the accounts have email addresses connected to them. The company said it is aware of a “potential security incident” and is investigating.”

The Motherboard article by Joseph Cox, says it happened last month. What has been done since? Why is there no public information or notification about the breach on the company website?

Joseph doesn’t think profile photos are at risk, unless someone can log into an account. He was given usernames, email addresses, and hashed passwords, and as far as he knows, that was all that was stolen.

“The passwords have apparently been hashed with the robust bcrypt algorithm, and a string of random characters known as a salt, meaning hackers will have a much harder time obtaining user’s actual login credentials. Not all of the records include a user email address.”

Going further back, it looks like Edmodo’s weaknesses had already been identified 4 years ago. Did anything change?

So far I’ve been unable to find out from Emodo directly. There is no telephone technical support. There is no human that can be reached dialling the headquarters telephone number.

Where’s the parental update?

No one has yet responded to say whether UK pupils and teachers’ data was among that reportedly stolen.

While there is no mention of the other data the site holds being in the breach, details are as yet sketchy, and Edmodo holds children’s data. Where is the company assurance what was and was not stolen?

As it’s a platform log on I would want to know when parents will be told exactly what was compromised and how details have been exposed. I would want clarification if this could potentially be a weakness for further breaches of other integrated systems, or not.

Are edTech and IoT toys fit for UK children?

In 2016, more than 727,000 UK children had their information compromised following a cyber attack on VTech, including images.

In Spring 2017, CloudPets, the maker of Internet of Things teddy bears, left more than two million voice recordings from children online without any security protections and exposing children’s personal details.

As yet UK ministers have declined our civil society recommendations to act and take steps on the public sector security of national pupil data or on the private security of Internet connected toys and things. The latter in line with Germany for example.

It is right that the approach is considered. The UK government must take these risks seriously in an evidence based and informed way, and act, not with knee jerk reactions. But it must act.

Two months after Germany banned the Cayla doll, we still had them for sale here.

Parents are often accused of being uninformed, but should we not expect that our products pass a minimum standard of tech and data security testing as part of pre-sale consumer safety testing?

Yes parents have a responsibility to educate themselves to a reasonable level of user knowledge. But the opportunities are limited when there’s no transparency. Much of the use of a child’s personal data and system data’s interaction with our online behaviour, in toys, things, and even straightforward websites remains hidden to most of us.

The Edmodo privacy policy contains no mention of profiling or behavioural web tracking, for example. But this savvy parent spotted it was happening and it appears the company responded properly to fix it, given strict COPPA rules it is perhaps unsurprising.

But will our government respond and fix their public sector holes?

Are public sector policy, practice and people, fit for managing UK children’s data privacy needs?

Should we not expect public sector to champion the best in public data protection?

Two years on, working on fixes in basic national pupil data improvement, and safe data policy, is far too slow.

The Department for Education is still cagey about telling schools it gives away national pupil data including to commercial companies without pupil or parental knowledge, and hides the Home Office use, now on a monthly basis, by not publishing it on a regular basis.

These uses of data are not safe, and expose children to potential greater theft, loss and selling of their personal data. It must change.

In our UK schools, just like the health system, the basics are still not being fixed or good practices on offer to staff. Teachers in the UK, get no data privacy or data protection training in their basic teacher training. That’s according to what I’ve been told so far from teacher trainers, CDP leaders, union members and teachers themselves,

Would you train fire fighters without ever letting them have hose practice?

School staff and teachers manage, collect, administer personal data daily, including signing up children as users of web accounts with technology providers. How can they use these tools and not put others at risk, if untrained in the basics of good data handling practices?

Infrastructure is known to be exposed and underinvested, but it’s not all about the tech. Security investment must also be in people.

Systemic failures seen this week are not limited to the NHS. This from George Danezis could be, with few tweaks, copy pasted into education. So the question is not if, but when, unless it’s fixed.

“…from poor security standards in heath informatics industries; poor procurement processes in heath organizations; lack of liability on any of the software vendors (incl. Microsoft) for providing insecure software or devices; cost-cutting from the government on NHS cyber security with no constructive alternatives to mitigate risks; and finally the UK/US cyber-offense doctrine that inevitably leads to proliferation of cyber-weapons and their use on civilian critical infrastructures.” [Original post]

Leave a Reply

Your email address will not be published.