Industry News

FBI Warns of Increasing Cybersecurity Risks at School

By Henry Kronk
September 19, 2018

Last week, the Federal Bureau of Investigation (FBI) issued a PSA regarding student cybersecurity. The announcement warns of the growing threat to student data as more and more learning goes online.

In today’s age, cybersecurity is always a concern. From network admins to average civilians who simply shop online, protection of personal data needs to remain an ever-present worry. And that is no more so than with K-12 learners who, increasingly, travel the hallways of the internet at school and at home to pursue their education.

From log in information to personalized learning software, students are frequently asked to provide networks with personal data. The FBI identifies these as:

  • personally identifiable information (PII);
  • biometric data;
  • academic progress;
  • behavioral, disciplinary, and medical information;
  • Web browsing history;
  • students’ geolocation;
  • IP addresses used by students; and
  • classroom activities.

The list is not exhaustive. While federal laws, such as the Family Educational Rights and Privacy Act (FERPA) generally stipulates that parents need to give consent before a school can collect their child’s data, there are numerous loopholes and workarounds

FBI Confirms Numerous Recent Cybersecurity Threats in Edtech

Fear is always a strong motivator, and there are many cases in which parental concern over student data collection appears overblown. With the PSA from the FBI, however, this is an issue that should be treated seriously. The announcement details recent cases of district data breaches.

“In late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States,” the PSA reads. “They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets. In response to the incidents, the Department of Education released a Cyber Advisory alert in October 2017 stating cyber criminals were targeting school districts with weak data security or well-known vulnerabilities to access sensitive data from student records to shame, bully, and threaten children.”


Edtech companies, according to the FBI, are no less secure.

“Cybersecurity issues were discovered in 2017 for two large EdTech companies, resulting in public access to millions of students’ data. According to security researchers, one company exposed internal data by storing it on a public-facing server. The other company suffered a breach and student data was posted for sale on the Dark Web.”

The announcement calls specific attention to classroom gadgets and IoT devices–which are growing popular in classrooms–and how they tend to be easy ports of entry.

“EdTech connected to networked devices or directly to the Internet could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments. Improperly secured take-home devices (e.g. tablets, laptops) or monitoring devices (e.g. in-school surveillance cameras or microphones), particularly those with remote-access capabilities, could be exploitable through cyber intrusions or other unauthorized means and present vulnerabilities for students.”

What You Can Do to Prepare

For a recommended course of action, the FBI says the following:

  • Research existing student and child privacy protections of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and state laws as they apply to EdTech services.
  • Discuss with their local districts about what and how EdTech technologies and programs are used in their schools.
  • Conduct research on parent coalition and information-sharing organizations which are available online for those looking for support and additional resources.
  • Research school-related cyber breaches which can further inform families of student data vulnerabilities.
  • Consider credit or identity theft monitoring to check for any fraudulent use of their children’s identity.
  • Conduct regular Internet searches of children’s information to help identify the exposure and spread of their information on the Internet.

Featured Image: J. Edgar Hoover Building, FBI headquarters, Washington, D.C. Cliff, Flickr.