Industry News

INTO Breach Highlights the Thicket of Issues Surrounding LMS Security

By Henry Kronk
September 28, 2017

Earlier this month, the Irish National Teacher’s Organisation (INTO) alerted its members to an LMS security incident. The user information of roughly 30,000 teachers—including their full name, email, gender, city, and country—had fallen into hackers’ hands.

Thankfully, this was the extent of the damage. Financial information was safely secure with the third party processing service Realex. Passwords, furthermore, had been encrypted and were not compromised.

Investigators have not yet confirmed whether or not this information was taken at all. Administrators were tipped off when they identified their own servers as the source of spam messages.

“While we have no evidence to suggest this data was in fact stolen, the data was potentially at risk and thus potentially accessible to the third party behind the breach,” said Peter Mullen, the INTO assistant general secretary, according to the Irish Times.

The growing vulnerability of LMS platforms and portals

The breach highlights a danger that has been looming on the horizon for years: as more and more institutions, universities, and private companies adopt a platform-based management system, they expose their users’ information to potential theft.

In education, the growth of learning management systems has exploded in the past decade. According to a recent report by Market Research Future, the market is currently growing at a CAGR of 22% while analysts expect LMS’s to generate $17 billion in annual profits by 2022.

The way entities operate learning management systems is changing too. Throughout the first decade of their use, they were hosted primarily by either the institutions’ servers or those managed by the LMS provider.

But today, many LMS platforms operate entirely over the cloud. Virtually every LMS offers the option of either cloud or private server hosting while some don’t have a private server option at all.

Cloud vs. Server Security

From the viewpoint of cybersecurity, trying to decide between a cloud- vs. server-hosted LMS can be a nightmare. On the one hand, cloud providers are expected to provide a high level of security protection to the information they handle.

Amazon Web Services (AWS), who currently offers by far the most cloud storage, encrypts everything it accepts, sends, and stores. In total, they implement over 1,800 security controls. Clients can either entrust their encryption keys with AWS or keep them for themselves.

“Most of our security innovation comes from customer demand,” says Ian Massingham, who oversees AWS operations in Europe, the Middle East, and Africa, according to the BBC, “so the bar for security gets ratcheted up every time.”

Many companies do not have a problem entrusting a cloud provider with their information. That said, as AWS and other providers grow, the target on their back gets bigger and more enticing to cybercriminals.

When it comes to private servers, company administrators maintain complete control. Major cybercrime events won’t affect the company system, and management maintains a substantially smaller circle of trust.

On the other hand, the people companies trust with all the information stored on their servers aren’t always pros when it comes to IT. Human error is by far the most common cause of large security breaches. A 2014 report by IBM’s Cyber Security Intelligence Index found that “95 percent of all security incidents involve human error.”

LMS platforms of universities, K-12 school systems or other institutions do not seem the most likely targets of attack. But considering the users tend to be children, adolescents, university students, and other non-IT specialists, the risk of a cyber-attack is quite high.

It’s more complicated than cloud vs. server in LMS security

The breach of the INTO portal illustrates how complicated the issue of security in LMS products can be. The INTO servers were compromised, but at least they encrypted their passwords, saving them from the hackers.

They had also integrated with a third party e-commerce facilitator, which stores their financial info on their own private servers.

Most LMS platforms can integrate with thousands of web apps and services. With each new integration, data is going somewhere different. These apps furthermore, require consistent maintenance to ensure they are free from vulnerabilities.

In the recent Equifax breach, for example, hackers gained access to the Equifax system via a bug in the Apache Struts web app, an enterprise platform. The company had provided an update which Equifax failed to implement.

True, running an LMS platform on the cloud may sound risky, but it increasingly seems like the most secure method of operating.