PSA: Possible Breach/Exposure of Student Information Affecting Students in Ulster County Boces Region


BOCES, Onteora school officials angered by use of student names in training video

NEW PALTZ >> The use of student names by New Way Technologies in a training video for a data-sorting computer program has angered officials with Ulster BOCES and the Onteora school district.

The comments were made in the week since the video was posted and taken down from the company’s website. Board of Cooperative Educational Services Superintendent Charles Khoury said the video was produced using data given to New Way Technologies representative Art Ardolino, who did use names but did not include student information or statistics from tests.

“The names are not associated with the numbers,” Khoury said. “The names were scrambled from the data, so there was no relationship between the names and the data that appeared.”

However, Khoury is upset that the names of students from some of the districts in the Ulster BOCES service area were used.

“It was wrong,” he said. “Those names shouldn’t have been used. That wasn’t the purpose (for which) he had the data and he acknowledges that.”

Ulster BOCES had paid New Way Technologies $9,500 per year to develop a program that would make it easier for school districts to sort through test scores.

“I brought them in as a software consultant programmer back in 2013 … essentially to write programs to generate reports that had more graphics in them than the reports we were getting from the state,” Khoury said.

Concern over the training video, which New Way Technologies also used as a promotional tool, arose when Khoury recognized the name of Onteora school board member Ann McGillicuddy’s son.

“Through the superintendent I did write to the board … apologizing for the unfortunate release,” he said.

McGillicuddy did not return messages seeking comment but Onteora district Superintendent Victoria McLaren said the board was unhappy with student names being used by the company.

“We were obviously concerned that names of our students were shown on that training video,” she said. “We were pleased that the training video was taken down pretty quickly once we had questioned it and we were also relieved that the other data in that video that appeared was not real data related to any of the students’ names.”

McLaren said it was not clear how extensively the Onteora student names were used compared with other districts.

“The high school principal was able to recognize a couple of other names,” she said.

Information was not immediately available on whether other students names were used but the program has been used on a trial basis by the Rondout Valley school district. District Superintendent Rosario Agostaro on Tuesday said the video had been taken down before he could review the names of students.

“I have no access to it so I don’t know which kids were on it,” he said.

Khoury said use of the names did not violate privacy laws because there was no specific data associated with the students.

“It’s called directory information,” he said. “If it was connected to the data it would be significantly more of a problem, but directory information is subject to public release.”

Officials with New Way Technologies were not available Tuesday for comment Tuesday.

Also, see from July 2015:

Onteora school district has computer security problems, NY state auditors say

By William J. Kemble,
BOICEVILLE >> A state comptroller’s report says there are security deficiencies in the Onteora school district’s computer systems that could allow data breaches.

The problems were discovered in audit of the computer systems that covered the period July 1, 2013, to Nov. 5, 2014, the report said.

“We found that the [school] board did not establish an adequate acceptable use policy, a computer security plan, a disaster recovery plan, policies and procedures for disposal of computer equipment or a policy for security awareness training,” the auditors wrote.

“In addition,” the report states, “the district’s service-level agreement with the [Ulster] BOCES for network support specialists did not include written terms defining the service-level objectives and performance indicators, roles and responsibilities, nonperformance impact, security procedures, reporting requirements and review/update and approval precess. The [agreement] also did not clearly identify who was responsible for various aspects of the district’s [technology] environment.”

The auditors also found the school district’s computer hardware, which includes about 400 tablet computers, was not accurate or up to date and that there was no listing of software licenses. They noted that 18 of 31 ites, “including tablets and wireless streaming devices,” were not registered in an inventory system.

A key concern voiced by the auditors was that district officials had not done enough to protect the computer systems from outside intruders.

“Although the district used a program to filter Web content, we identified sites that were not reviewed for actual content,” the auditors wrote. “We reviewed 35 sites visited in the ‘unknown’ category and found that 13 sites had content in blocked categories. As a result, users could access inappropriate websites and put the district’s network at risk.”

The auditors said the absence of filters left the district vulnerable to cyber criminals who could gain information about students.

“Hackers can later use this information to access networks, databases and even bank accounts, resulting in high risk of loss,” the auditors wrote. “Internet browsing increases the likelihood that users will be exposed to some form of malicious software that may compromise data confidentiality.”

District officials have not returned a reporter’s calls about the report, but in a written response to the state, they said they plan to make changes in policy and procedures.

“Upon receipt of our final report, we will work to develop a comprehensive action plan to address the issues you have identified,” they wrote. “We have already begun to correct some of the items discussed in the exit interview.”

Schools of Thought Hudson Valley, NY

Screen Shot 2015-09-30 at 10.12.15 PM

An incident has come to my attention that all  parents Ulster County BOCES region should be aware of. There has been possible breach/exposure of student information by New Wave Technologies, a vendor providing web based technologies to teachers for use in schools. The story is developing. Please see below for what we know right now.

It has come to light that Ulster County BOCES shared private student data with a for profit company NewWay Technologies to develop “new data visualization tools” that would allow teachers to analyze student test scores on iPhones, tablets, and computers.

National renowned student data privacy advocate Leonie Haimson discovered that New Way Technology was using the names and data of Ulster County students in it’s promotional videos which were taken down on September 29th. Numerous screenshots reveal the names of real students from districts throughout Ulster County. Each name is associated with an id number…

View original post 211 more words

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s