Nearly a million students and educators across the country have been affected by the Pearson data breach of the company’s AIMSweb 1.0 platform for student math and English/language arts screening and assessment.

The U.S. Federal Bureau of Investigation notified Pearson PLC about the November 2018 data breach of its Pearson Clinical Assessments’ platform through a third-party service provider in March 2019, and Pearson notified school districts in July 2019 after analyzing data to determine the size of the breach. News of the Pearson data breach exposed names, dates of birth and email addresses of students and school staff went public late July in a Wall Street Journal article.

“This is a big breach impacting over 13,000 schools and universities throughout the country, so it definitely has to have more reach in Arizona,” said Zachery Fountain, director for communications and public relations for Flagstaff Unified, one of the school districts affected by the Pearson data breach.

So far, only a few Arizona school districts have reached out to The Arizona School Risk Retention Trust, Inc., about the Pearson data breach, and a couple districts have contacted law firms the Trust works with, said John Flanders, in-house counsel for the Phoenix nonprofit that provides cyber liability in its general liability coverage, property and related coverage for 250 of Arizona’s 641 traditional and charter school districts as well as community colleges in the state.

“This is a unique situation, because it happened to someone that our school districts were using as a vendor,” Flanders said.

Related story:
Why schools are ransomware targets

Reach of the data breach and notification

Pearson has not released the exact number of people affected by the data breach, but media reports since late July indicate more than 980,625 people have been affected in the U.S. – including Nevada’s two largest public school districts, the Rochester, N.Y. area, Flagstaff Unified School District in Arizona, Greenville County Schools in South Carolina, schools in Lee’s Summit, Mo., Floyd County Schools in Georgia, Wallingford, Conn., schools, Schools of Osage in New Jersey, Mandan Public Schools in North Datoka, Marion County Public Schools in Florida, Joliet Township High School District in Illinois, Fargo Public Schools in North Dakota, Wilmington, Del., schools, Chicago-area schools, Chester County Intermediate Unit in Pennsylvania,  students in Carmel, Indiana, and two school districts in the Naperville area.

School districts that believe they have been affected by the data breach are encouraged to call Pearson Clinical Assessment at 1-866-883-3309 or email aimsweb1request@pearson.com.

Scott Overland, director of media relations for Pearson PLC, said in a July 31, 2019 news release on Pearson’s corporate website, “We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability. While we have no evidence that this information has been misused, we have notified the affected customers as a precaution. We apologize to those affected and are offering complimentary credit monitoring services as a precautionary measure.”

An Arizona law firm has been in touch with Pearson trying to get the company to provide notification to all affected people, not just their customers – school districts, colleges and universities – but there’s been no confirmation of whether or not Pearson is going to do that, Flanders said. Instead, school districts are notifying students’ families and employees themselves. 

“We’re preparing something on our own that we’ll be sending soon to our member school districts that they may want to use as a draft guideline,” Flanders said.

How Flagstaff Unified responded

Flagstaff Unified learned about the data breach in early August 2019. The district, which serves more than 9,800 students in Coconino County, found after investigating that their other services were not affected.

“We take data management and security seriously in the Flagstaff Unified School District,” Fountain said.  “Upon receiving word of the breach, our teams worked to validate the issues, evaluate potential security issues, and inform those impacted in a quick manner that also ensured that the full scope of the issue was understood and could be communicated.”

On Aug. 20, 2019, Flagstaff Unified notified 6,597 students and 319 staff members that names, employee email addresses and in limited cases, employee ID numbers were released during the breach of the Pearson’s platform, which the district no longer uses.

Flagstaff Unified also set up a website where students’ families and employees could find updates on the situation.

Student data privacy concerns

Concerns about how private student data truly is have grown with the increased use of online education resources and mobile apps teachers and students use to track classroom assignments.

The FBI released a public service announcement alert that unsecured education technology systems could expose student data leading to privacy and safety issues on Sept. 13, 2018. The FBI noted that hackers broke into multiple school district servers across the United States in late 2017, accessed student contact information, education plans, homework assignments, medical records, counselor reports, and used that information to contact, extort, and threaten students with physical violence and release of their personal information.

No one might look at children’s FICO scores or credit reports until they turn 18 and apply for credit, said Wes Gates, IT director for The Arizona School Risk Retention Trust, Inc.

“For hackers, data you get from students is going to last for a long time. You get it when they’re young and it can be used potentially for the next 50 years,” Flanders said.

What schools should do after a cyberattack

If a school is targeted by a cyberattack, the first thing they should do is isolate the situation, contain the problem and take it out of their network, Gates said.

“IT usually does that before they contact us,” Gates said.

Then, they should contact their insurer and legal representation as soon as possible.

The Trust has offered cyber liability coverage for its members since 2013 with “$1 million per occurrence for that coverage with a $5,000 deductible,” said Ryan Cole, director of operations for The Arizona School Risk Retention Trust, Inc.

“Even if they’re not sure it’s an incident, the sooner we get involved, the more proactive we can be and get the appropriate vendors involved depending on the nature of the incident,” Gates said.  

That’s important to get them up and running quickly, Gates said.

“Depending on the nature of the incident, we might get forensics involved,” Gates said. “We need to find out if it’s a reportable incident or not, and if any data has been exfiltrated or accessed outside of the organization.”

In addition, the Trust encourages schools to get involved in their cyber outreach program aimed at incident prevention and use their tools to actively help them assess their networks and find vulnerabilities.

“We have services that the Trust offers to its members to improve their cyber hygiene – phishing tests, vulnerability scans, vCO services, self-assessments and cyber assessments,” Gates said.

“We try to talk about preventative measures and how to be more safe going forward, giving them the tools that they need and some ideas to think about,” Cole said.