UCPS student information made vulnerable due to insufficient security protections, superintendent says

UNION COUNTY, N.C. (WBTV) - Private information of students at schools districts and charter schools across the state were left vulnerable by a software misconfiguration by a third-party vendor, Union County Public Schools Superintendent Andrew Houlihan told parents in a letter this week.

According to the letter, the misconfiguration came after iLeadr, a company used by multiple school districts and charter schools, stored records in a cloud-based storage container without sufficient security protections.

The data vulnerability was noticed by the North Carolina Department of Public Instruction (NCDPI) over the summer, which prompted the NCDPI to immediately notify iLeadr. The vulnerability was then remedied within 24 hours.

At that time, it was not known whether student records had been disclosed, and an investigation was launched. The investigation confirmed that one or more files containing archived records may have been vulnerable to unauthorized access for a period of time.

However, UCPS said that at this time, there is no evidence that any specific student information was actually accessed. In addition, the district said there is currently no evidence to suggest that any of the student records were used for an improper purpose.

NCDPI released the following statement to WBTV:

On the afternoon of July 22nd, DPI began investigating a report of potential data exposure with the vendor i-Leadr.com This vendor was contracted directly with the impacted Public School Units (PSUs) and not through NCDPI. As soon as NCDPI was notified, the agency worked promptly and activated the cyber incident plan working directly with NC Department of Information Technology (NCDIT) and other members of the Joint Cyber Task Force (JCTF).

Together the agencies and impacted PSUs conducted a thorough investigation and took immediate actions to protect student data. Appropriate law enforcement agencies were involved with the investigation.

Because of the nature of the investigation, and in accordance with North Carolina General Statute Section 132-1.4, NCDPI is not able to confirm which PSUs were affected. But NCDPI can confirm that respective legal counsels for any impacted PSUs were notified within the affected PSUs on July 25, 2022. To the extent that any notification is required, it will originate from the PSU to the impacted individuals.

The superintendent’s letter said that files potentially exposed may have contained the following information:

Student name/student ID number
School name
Dates of birth, gender, ethnicity and race
Parent/guardian name and contact information
Qualifying status
Schools attended by grade
Attendance records
Core instruction plans and individual student learning plans
Universal screening/assessment data reports and progress monitoring data
Academic behavior/observations
Environmental inventory
Hearing/vision/speech screening results

According to UCPS, the student records that were vulnerable did not include Social Security numbers or financial information.

The district said in the letter that upon the NCDPI’s discovery, it immediately stopped uploading files to iLeadr’s platform, and participated in the investigation to identify what information may have been involved.

UCPS also stated that it is no longer using iLeadr’s services.

The district’s full letter to parents can be read here.

Copyright 2022 WBTV. All rights reserved.