Student data used in the social networking educational platform Edmodo was stolen a year and a half ago. The Washoe County School District is now considering hiring a consultant to investigate whether any student information was compromised.
Board of Trustees President Katy Simon Holland, speaking from a prepared statement at Tuesday’s board meeting, said student data was not breached:
“As many of you know I have received a number of emails and phone calls regarding data privacy and … a potential data breach, and I immediately asked staff to look into this issue. I can share that there as been no data breach of Washoe County School District data, nor has any … student information been compromised. We want to ensure parents and the community that the district has a comprehensive approach to protecting this data using every tool available to secure the network.”
Simon Holland said more information will be going out to parents in the future.
Public commenters at the meeting countered the district’s statements.
“Your statement does not seem to jibe with other statements I have heard about Edmodo and the material that is gathered by them on the students within the district,” said William Tarbell.
Margaret Martini also said the district’s comments weren’t accurate.
“The school board and superintendent have been asked time and time again … for a few years now to educate parents on the dangers of using free, third-party software,” she testified. “You all have chosen to ignore the facts. And now the data breach has become true — irrevocably true.
“We now know what Washoe County School District children who had an Edmodo account had their IDs stolen and sold on the dark web. (The district) has shown via (the) data breach that they cannot keep students’ IDs safe.”
Edmodo was hacked in May 2017. The hacker stole 77 million Edmodo user accounts, including emails, usernames, and hashed passwords, as reported by Vice at the time.
The company responded:
“Protecting the privacy of our users is of the utmost importance to Edmodo. We take this report very seriously, and we are investigating. We have no indication at this time that any user passwords have been compromised, and we want to let everyone know that we are working with law enforcement.”
Motherboard/Vice reported that the passwords were, essentially, encrypted and that the account information was being sold for $1,000 on a dark web marketplace.
Since then, Edmodo was sold to Chinese company, NetDragon, for $138 million.
“The acquisition of Edmodo is a testament to NetDragon’s on-going commitment to building the largest active online learning community on a global scale,” the company wrote in a press release.
Neither the hack, nor the sale to a Chinese company, sat well with those raising questions to the school board.
Steve Dolan called the hack scary.
“I believe one of the ways to improve the optics and the transparency is that you allow parents to opt-out and you keep them informed of this type of this information that’s going around,” he said. “Put it out in the public for everyone to see. I appreciate that you are aware of this.”
John Eppolito, who has warned the district about student privacy concerns, also spoke.
“Just to make a couple things clear: nobody has claimed that the school district has had a data breach yet,” he told the board. “The data is with Infinite Campus and the Nevada Department of Education and these third party vendors.
“The student IDs in our county … the student email addresses and the usernames are the IDs,” he said. “I don’t know why. It leaves our people very vulnerable, and now Edmodo has breached that data. It took the district a year and half to say something that I don’t believe, frankly.
“Now we know that Edmodo has been sold to the Chinese. Maybe in a year and half you will deny that too, but in the meantime, several entities have written about this sale, and they are very concerned about United States children,” he added. “The biggest thing that’s happening are the profiles that these third-party vendors are creating on our children. That’s what the Chinese now have.”
Simon Holland said that student ID numbers are encrypted on multiple levels.
“I am concerned, and there are many of us who are concerned about this,” she reiterated. “We are considering two actions. One is to retain outside consulting to assess whether any of our student personal information has been compromised. We’re confident that it has not, but we want to have someone else verify that.
“We are also interested in pursuing discussions with the state, because the state … does manage or oversee the Infinite Campus information. We really do believe this is a statewide issue.”
She said there’s an opportunity for increased cybersecurity statewide.