An audit of Maryland’s education department is faulting the agency for failing to protect what should be confidential student and teacher information stored in databases that should also be confidential.
The database includes names and Social Security numbers for more than 1.4 million students and more than 233,000 teachers. The state is stressing that none of the data was actually compromised.
Many of the faults found in the Office of Legislative Audits review focused on technology. The audit said the databases containing that information were not adequately protected and that the information was often left in “clear text” in those databases. The audit said it’s information that is commonly associated with identity theft and that the state needs to do more to ensure “information is safeguarded and not improperly disclosed.”
The audit also found that applications and sensitive student data managed by third-party contractors also weren’t properly secured against “operational and security risks.”
In a statement, the education department told WTOP, “It is critical to note that the [department] has not experienced a data breach of any kind, and no data related to student and teacher information has been compromised. Additionally, student Social Security numbers are no longer collected by the department.”
But those weren’t the only faults that were discovered.
The audit criticizes the state’s lack of a complete disaster recovery plan in the event of an emergency, such as a fire, leaving the potential for major disruptions when it comes to restoring computers and other information systems.
The audit also found malware protection was less than adequate, noting that 15 servers were running operating systems that hadn’t been updated since 2015 because the developers no longer serviced those systems.
Beyond that, the department had done a less than adequate job of patching other “significant security-related vulnerabilities,” even when patches for those problems existed.
In a written response to the audit, the state’s superintendent of schools, Karen Salmon, said her agency will be giving “significant attention” to correct the problems cited in the report, and said in most cases those fixes should be in place by the end of September.
