UCPS parent shares concerns over student data vulnerabilities

The lapse occurred after records were stored in a cloud-based container without sufficient security protections.
One UCPS parent said she didn't hesitate when she got the letter and hopes all districts crack down on the vendors they're storing personal information with.
Published: Nov. 1, 2022 at 8:08 PM EDT

MONROE, N.C. (WBTV) - A Union County mother is speaking out after learning thousands of students’ personal information was exposed last month.

Union County Public Schools Superintendent Andrew Houlihan sent a letter to families two weeks ago that stated private information of students at school districts and charter schools across the state were left vulnerable by a software misconfiguration by a third-party vendor, i-Leadr, INC.

According to the letter, the misconfiguration came after i-Leadr, a company used by multiple school districts and charter schools, stored records in a cloud-based storage container without sufficient security protections.

WBTV obtained a copy of the initial contract between the school district and i-Leadr which was signed in November 2018 and was set up as the early warning system for EPIC schools. The contract listed a total of 13 schools including nine elementary, two middle, and two high schools.

According to the letter the data “may have been vulnerable to unauthorized access for a period of time,” but the district did not have evidence that the data was used by anyone for an “improper purpose.”

“The data was temporarily made vulnerable. I want to know how long it was vulnerable,” said parent Maria Palacios.

Palacios shared her concerns with WBTV and says her immediate thought went to hackers who prey on private information.

“Think about the people [who] are looking to do bad things out here and looking out for when data is made available,” she said.

The letter stated that financial information and social security numbers were not stored in this system and were not exposed.

The superintendent’s letter said that the files potentially exposed may have contained the following information:

  • Student name/student ID number
  • School name
  • Dates of birth, gender, ethnicity, and race
  • Parent/guardian name and contact information
  • Qualifying status
  • Schools attended by grade
  • Attendance records
  • Core instruction plans and individual student learning plans
  • Universal screening/assessment data reports and progress monitoring data
  • Academic behavior/observations
  • Environmental inventory
  • Hearing/vision/speech screening results

Previous Coverage: UCPS student information made vulnerable due to insufficient security protections, superintendent says

The North Carolina Department of Public Instruction started investigating in late July after hearing reports of a potential data exposure with i-Leadr.

NCDPI released the following statement to WBTV earlier this week:

On the afternoon of July 22nd, DPI began investigating a report of potential data exposure with the vendor i-Leadr.com This vendor was contracted directly with the impacted Public School Units (PSUs) and not through NCDPI. As soon as NCDPI was notified, the agency worked promptly and activated the cyber incident plan working directly with NC Department of Information Technology (NCDIT) and other members of the Joint Cyber Task Force (JCTF).

Together the agencies and impacted PSUs conducted a thorough investigation and took immediate actions to protect student data. Appropriate law enforcement agencies were involved with the investigation.

Because of the nature of the investigation, and in accordance with North Carolina General Statute Section 132-1.4, NCDPI is not able to confirm which PSUs were affected. But NCDPI can confirm that respective legal counsels for any impacted PSUs were notified within the affected PSUs on July 25, 2022. To the extent that any notification is required, it will originate from the PSU to the impacted individuals.

Palacios suggests school leaders re-examine the cybersecurity standards that their third-party vendors have.

“I would like to see that change, if it’s already there I would like to know that it’s already there,” she said. “I just would like to know there is something in place to safeguard student data.”

WBTV reached out to i-Leadr for comment, but we have not heard back at the time of this writing.

UCPS says parents who have concerns about their data should contact the district’s Central Services staff.