Two of the districts covered in our 2022 benchmark find themselves victims of recent data breaches at the hands of the same entity, SingularityMD [not to be confused with the company of the same name], Clark County Public Schools in Nevada and Jefferson County Public Schools in Colorado. If Jefferson County Public Schools rings a bell, it had the dubious honor of being home to the school with the greatest number of technologies recommended to students (over 1400). In our benchmark recommendations, we strongly suggest that schools reduce the number of off-the-shelf technologies recommended to students, due to the privacy risks for children in nearly all such technology. But is there a connection between over-zealous technology promotion and the risk of data breach?
Well yes, there is a connection—not necessarily a causal relationship, but a connection, nonetheless. From the report here https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/?hss_channel=lcp-3552449, the threat actors availed themselves of risky behaviors on the part of the school:
- The breach began by compromising a student’s account, and then working into teacher and then system access. The initial access of the student account was made easy by the typical school practice of using date of birth as student passwords.
- They pulled the student’s date of birth off social media accounts, and
- They used “the email address from the student’s account on “TikTok, etc.” where the student ID had been used as the username because the student authenticated their school account when setting up the social media account.”
The use of weak login credentials comes as no surprise. In our 2022 benchmark, we found login instructions on many school or district websites, often using the student ID, first name/last name, and/or birthdate as part of the credentials. We understand the motivations for this practice, but it must stop. From the DataBreaches report:
“So when will the U.S. Department of Education and/or states make it absolutely clear that districts should not use date of birth as passwords and that districts may risk state enforcement action and/or risk losing federal funding for failure to adequately protect student information if they continue to do so?”
Perhaps there’s a low-hanging solution: should schools mandate the use of password managers for all students and employees? We did not find any schools doing this in the 2022 benchmark.
Getting back to school use of social media. At the time of data collection for our benchmark (2022) we did not track how many schools were actively using TikTok and the service did not come up on our aggregated list of over 1700 technologies recommended/required by schools. This week we did a quick search of the 663 benchmark schools’ websites and only 8 sites mentioned TikTok accounts, though this can’t be considered a definitive measure of all the schools in our benchmark who may have teacher-created or school-related TikTok accounts.
From the benchmark data, we found that 91% of schools use Facebook to communicate with students. Could TikTok be on its way to that level of usage by schools? With its ready-built teen audience, TikTok may prove too irresistible to not be used for school related purposes. Along those lines, we were surprised at how easy it was to find TikTok how-to guides for educators, like this https://www.techlearning.com/how-to/how-can-tiktok-be-used-in-the-classroom and this How ‘TeachTok’ is helping teachers connect with their students on TikTok (theconversation.com).
As mentioned earlier, TikTok wasn’t included in our original EdTech benchmark—frankly, a hopeful sign because schools weren’t recommending it to students—so we ran a privacy audit on the app and results can be found in app microscope (here’s the safety label for the Android version: https://appmicroscope.org/app/1729/ ). As can be seen from the safety label headers below, the TikTok apps scored our highest risk score, Very High Risk, due to the presence of risky third-party SDKs. Our current scoring rubric doesn’t relate to the cybersecurity risk of how the service was used to obtain credentials, but it does reinforce the fact that TikTok is risky for users. Stay tuned for a deeper dive on TikTok in a future post.