Maryland Department of Education inappropriately stored personal data of over 1.4 million students

• The audit found that the department does not have ‘sufficient’ malware protection and have not patched security vulnerabilities.
• Moreover, some of the department’s software hasn’t been updated since 2008.

A recent audit has revealed that the Maryland Department of Education “inappropriately” stored personal data of over 1.4 million students and 230,000 teachers.

The big picture

The report published by the Maryland General Assembly’s audit office revealed that the education department stored personally identifiable information of students and teachers in plain text format and in unprotected databases.

• The audit also found that the department does not have ‘sufficient’ malware protection and have not patched security vulnerabilities.
• Moreover, it did not ensure that critical systems managed by third parties were protected against security risks.
• Some of the department’s software hasn’t been updated since 2008.

The Maryland General Assembly’s audit office earlier recommended the department to remediate the issues in March 2019. Inspite of that, the recent audit found students and teachers data to be unencrypted. It should be noted that the unencrypted student data also includes Social Security Numbers.

What was the response?

The education department has acknowledged the auditor’s recommendations to inventory its systems, delete all unnecessary sensitive data, and to encrypt the sensitive data.

The education department’s IT division is working with the Maryland Department of Information Technology to resolve these issues by September 30, 2019.

“DoIT’s End User Services Team is currently in the process of investigating, documenting, and removing unnecessary or outdated third party software installations. DoIT’s End User Services Team will perform reviews every six months of software and perform software patching on approved third party software. DoIT’s Security Team will ensure that unnecessary software is removed,” the department said.