Montclair, NJ Cancels Tests After Data Leak
2 min read
In what will likely be a long string of district-level data compromises, testing in Montclair, New Jersey was cancelled after copies of the tests were leaked online.
The breach of test security in the Montclair, N.J., school district was discovered by a parent on Friday, leading to a “full legal investigation,†said Penny MacCormack, the superintendent. She said that only “teachers and senior staff here would have password access†to the secure web portal that contains the exams.
This comes in close proximity to the reported security breach in Sachem, NY, where nearly 17,000 current and past students had their data taken from a district-controlled web portal.
District-level data breaches bring up questions of how districts are training staff at all levels to handle senstive data securely. The reflexive response within many districts will probably be to outsource data storage to external companies, but this is not an adequate response for several reasons. First, these companies provide another location where data can be compromised - data stored offsite is (potentially) only as secure as the weakest link in the outside company. Additionally, pushing data to an external company for safekeeping does nothing to eliminate the risk of password compromise from people within the district. Given that people within an organization dedicated to secrecy can share their passwords without thinking through the potential consequences, it's almost certain that similar sharing occurs within school districts.
At the risk of both understating and oversimplifying a complex issue, security is difficult. People working to compromise a system only need to be right once, where the teams running the security need to be right all of the time. The work of security is also complicated because end users on a system are often the ones to feel the burden of additional security measures, and when that happens, they frequently complain - loudly. Tension generally exists between security within a system and the usability of the system, and system admins tend to be harassed more for end user problems than they are thanked for preventing data breaches.
