PLAN AHEAD: Latest Weather Forecast Video
NC DHHS Flu
Marketplace
Meet the WBTV News Team!
Traffic
Remembering Jason & Chip

UCPS parent shares concerns over student data vulnerabilities

The lapse occurred after records were stored in a cloud-based container without sufficient security protections.
One UCPS parent said she didn't hesitate when she got the letter and hopes all districts crack down on the vendors they're storing personal information with.
By Courtney Cole
Published: Nov. 1, 2022 at 8:08 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

MONROE, N.C. (WBTV) - A Union County mother is speaking out after learning thousands of students’ personal information was exposed last month.

Union County Public Schools Superintendent Andrew Houlihan sent a letter to families two weeks ago that stated private information of students at school districts and charter schools across the state were left vulnerable by a software misconfiguration by a third-party vendor, i-Leadr, INC.

According to the letter, the misconfiguration came after i-Leadr, a company used by multiple school districts and charter schools, stored records in a cloud-based storage container without sufficient security protections.

WBTV obtained a copy of the initial contract between the school district and i-Leadr which was signed in November 2018 and was set up as the early warning system for EPIC schools. The contract listed a total of 13 schools including nine elementary, two middle, and two high schools.

According to the letter the data “may have been vulnerable to unauthorized access for a period of time,” but the district did not have evidence that the data was used by anyone for an “improper purpose.”

“The data was temporarily made vulnerable. I want to know how long it was vulnerable,” said parent Maria Palacios.

Palacios shared her concerns with WBTV and says her immediate thought went to hackers who prey on private information.

“Think about the people [who] are looking to do bad things out here and looking out for when data is made available,” she said.

The letter stated that financial information and social security numbers were not stored in this system and were not exposed.

The superintendent’s letter said that the files potentially exposed may have contained the following information:

  • Student name/student ID number
  • School name
  • Dates of birth, gender, ethnicity, and race
  • Parent/guardian name and contact information
  • Qualifying status
  • Schools attended by grade
  • Attendance records
  • Core instruction plans and individual student learning plans
  • Universal screening/assessment data reports and progress monitoring data
  • Academic behavior/observations
  • Environmental inventory
  • Hearing/vision/speech screening results

Previous Coverage: UCPS student information made vulnerable due to insufficient security protections, superintendent says

The North Carolina Department of Public Instruction started investigating in late July after hearing reports of a potential data exposure with i-Leadr.

NCDPI released the following statement to WBTV earlier this week:

On the afternoon of July 22nd, DPI began investigating a report of potential data exposure with the vendor i-Leadr.com This vendor was contracted directly with the impacted Public School Units (PSUs) and not through NCDPI. As soon as NCDPI was notified, the agency worked promptly and activated the cyber incident plan working directly with NC Department of Information Technology (NCDIT) and other members of the Joint Cyber Task Force (JCTF).

Together the agencies and impacted PSUs conducted a thorough investigation and took immediate actions to protect student data. Appropriate law enforcement agencies were involved with the investigation.

Because of the nature of the investigation, and in accordance with North Carolina General Statute Section 132-1.4, NCDPI is not able to confirm which PSUs were affected. But NCDPI can confirm that respective legal counsels for any impacted PSUs were notified within the affected PSUs on July 25, 2022. To the extent that any notification is required, it will originate from the PSU to the impacted individuals.

Palacios suggests school leaders re-examine the cybersecurity standards that their third-party vendors have.

“I would like to see that change, if it’s already there I would like to know that it’s already there,” she said. “I just would like to know there is something in place to safeguard student data.”

WBTV reached out to i-Leadr for comment, but we have not heard back at the time of this writing.

UCPS says parents who have concerns about their data should contact the district’s Central Services staff.

Copyright 2022 WBTV. All rights reserved.

Most Read

A 16- and an 18-year-old were killed after a police chase late Thursday night ended in a crash...
Teens killed after chase ends in crash in Rowan Co., troopers say
The North Myrtle Beach Police Department are praising Officer Wallace for her quick thinking...
Officer saves kidnapped woman who mouthed ‘help me’ during traffic stop
Police said a rideshare vehicle was shot into, injuring a passenger, on I-85 in north Charlotte.
Report: 3 teens inside Lyft vehicle fired upon on I-85 in Charlotte
Kannapolis Police found a man shot and killed at a home on Wednesday afternoon.
Police investigating deadly shooting at Kannapolis home
Joshua Lamont Pelzer
Man arrested after attempting to abduct girl in Gaston County

Latest News

Ceyonna Morris
Father searching for answers six months after daughter’s murder in north Charlotte
A 26-year-old man died more than a week after he was shot in uptown Charlotte.
Man dies more than a week after uptown Charlotte shooting, suspect arrested
A rally is set for Saturday to push for increased safety measures for CATS bus operators.
Community rally calls on increased safety measures aboard CATS buses
Summer Learning Loss
Teens killed after chase ends in crash in Rowan Co., troopers say