Maryland education dept. faulted for failing to adequately protect student, teacher info

A new school year is underway in Montgomery County, but students in Maryland's largest school system had mixed feelings about their longer summer break. (WTOP/Nick Iannelli)

An audit of Maryland’s education department is faulting the agency for failing to protect what should be confidential student and teacher information stored in databases that should also be confidential.

The database includes names and Social Security numbers for more than 1.4 million students and more than 233,000 teachers. The state is stressing that none of the data was actually compromised.

Many of the faults found in the Office of Legislative Audits review focused on technology. The audit said the databases containing that information were not adequately protected and that the information was often left in “clear text” in those databases. The audit said it’s information that is commonly associated with identity theft and that the state needs to do more to ensure “information is safeguarded and not improperly disclosed.”

The audit also found that applications and sensitive student data managed by third-party contractors also weren’t properly secured against “operational and security risks.”


Read the full audit.


In a statement, the education department told WTOP, “It is critical to note that the [department] has not experienced a data breach of any kind, and no data related to student and teacher information has been compromised. Additionally, student Social Security numbers are no longer collected by the department.”

But those weren’t the only faults that were discovered.

The audit criticizes the state’s lack of a complete disaster recovery plan in the event of an emergency, such as a fire, leaving the potential for major disruptions when it comes to restoring computers and other information systems.

The audit also found malware protection was less than adequate, noting that 15 servers were running operating systems that hadn’t been updated since 2015 because the developers no longer serviced those systems.

Beyond that, the department had done a less than adequate job of patching other “significant security-related vulnerabilities,” even when patches for those problems existed.

In a written response to the audit, the state’s superintendent of schools, Karen Salmon, said her agency will be giving “significant attention” to correct the problems cited in the report, and said in most cases those fixes should be in place by the end of September.

John Domen

John started working at WTOP in 2016 after having grown up in Maryland listening to the station as a child. While he got his on-air start at small stations in Pennsylvania and Delaware, he's spent most of his career in the D.C. area, having been heard on several local stations before coming to WTOP.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up