#edusec — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #edusec, aggregated by home.social.
-
Homeland Security wants to know about the Instructure breach; we still want to know about the Navigate360 breach:
#databreach #edtech #edusec #ShinyHunters #Instructure #Canvas #HouseCommitteeonHomelandSecurity
-
Beginning circa 2010, I would call the NYS Comptroller's Office and the NYC Comptroller's Office to request audits of the NYC Department of Education's IT security, as the 2004 audit and re-audits identified major gaps and problems. My last post criticizing the absence of any current audit was published in 2023.
They actually were conducting an audit between 2020 - 2025 and the state has just released the public part of the audit report.
Read Chalkbeat's media coverage of the audit here: https://www.chalkbeat.org/newyork/2026/05/04/state-comptroller-audit-finds-student-data-privacy-gaps-in-nyc-schools/
Read the public part of the audit report here:
https://www.osc.ny.gov/files/state-agencies/audits/pdf/sga-2026-23n6.pdfI've posted a few comments at
https://databreaches.net/2026/05/05/nyc-public-schools-lack-central-inventory-to-track-vendors-used-by-schools-nys-auditor/#EduSec #NYCPS #audit #NYSComptroller #databreach #infosec #cybersecurity
-
@funnymonkey Thanks for the kind words.
Someone commented on my Instructure post with a comment as "Sysadmin." They wrote:
"Are you effin kidding me! We got an Email from Instructure saying we were impacted and now we have to inform all the students and families in our district.
Why do these ShinyHunters keep attacking the edtech sector?? PowerSchool, infinite campus and now this.
It’s only a Sunday night and law enforcement has still done nothing about these hackers. Regulators really need to hold these companies accountable for poor security practices."
They raise valid points.
#edtech #EduSec #cybersecurity #vendor #supplychain #databreach #hackandleak
-
The Case for Making EdTech Companies Liable Under FERPA:
https://www.techpolicy.press/the-case-for-making-edtech-companies-liable-under-ferpa/
-
Entities rush to declare that data hasn't been stolen/they haven't been hacked. They often wind up looking like liars or just more incompetent when the hacker starts dumping or leaking data as proof.
This week's example: U. of Pennsylvania, which quickly declared they hadn't been hacked and it was just a vulgar email sent out. The hacker seems to have proved otherwise.
-
@douglevin @funnymonkey @brett
OK, so the bad news is that it looks like it's true. I got access to the data tranche and there is a LOT of student PII in there in terms of PDF files/letters and psych evals, and I spotted a .csv file with disabilities records on 2k students from 2017 with their IEP disability classification, name, services to be given, etc. I haven't yet started googling names, so I'm saying the data looks real but I haven't actually tried to confirm that yet.
A lot of the documents such as attendance and truancy letters for named students were OLD -- like back to 2003, etc.
I have a feeling that these records -- assuming, for now, that they are real -- do not necessarily trigger notification requirements under the D.C. notification law, but I have emailed DC to ask for clarification on the application of their law to student records.
I have not really spotted employee personnel data of note, but have only skimmed the tranche with a focus on student into.
If you HMU on Signal, I can give you the entire filelist for the tranche.
-
Don't procrastinate if you were affected:
Citizens whose SSN was compromised in the MOVEit breach at the National Student Clearinghouse (NSC) have until May 26, 2025, to file a claim to be part of the $9.95 million class action settlement.
Eligible individuals are those whose Social Security number was included in the files affected by the MOVEit security incident between May 28 and May 31, 2023. See more details and access the claim form at the official settlement website: https://nscsettlement.com/
-
N.J. school accidentally released names of kids who opted out of sex education:
It seems they had redacted the names in .pdf version, but web .HTML version was exposing the names. Ok, chalk it up to error? But then someone claims that a school official knew about this problem a year ago and did nothing about it?
And of course, what's the remedy under #FERPA? Oh, that's right -- there is none.
-
For your "No need to hack if it's leaking" files:
"Confidential student information was unintentionally leaked in Naperville Central’s School Improvement Plan, which was released publicly on Friday, Sept. 20. It was removed on Tuesday, Sept. 24 around 3:35 p.m. when Central Times staff brought the breach to the attention of Principal Jackie Thornton."
Read more at https://www.centraltimes.org/showcase/2024/09/26/confidential-student-information-released-in-district-203-data-leak/
-
@douglevin @brett @funnymonkey Well, as we all know too well, #FERPA doesn't even require notification,so let's look to state law. According to the Kansas AG:
"Kansas law requires any person who conducts business in this state that owns or licenses computerized data including personal information to conduct good faith investigations into the
likelihood that personal information has been or will be
misused when it becomes aware of any breach of the security of the system. (K.S.A. 50-7a02.) If the investigation reveals that Personal Information has been misused, or is likely to be misused, the person must give notice to the affected Kansas resident without unreasonable delay and as soon as possible."Not much help there. But I don't think almost a year is reasonable.
-
Paging regulators to Aisle 4 to look at Pacific Union College's data security and breach disclosure:
#databreach #EduSec #FERPA #FTC #Deception #IncidentResponse #Transparency #Notification #GLBA #InfoSec #ransomware