“It’s the Thing that Keeps Me Up at Night.” – BVSD Revisits Security and Vendor Contracts After Breach

Henry Larson

Thousands of BVSD students use Pearson software for their schoolwork.

  65,000 Boulder Valley School District (BVSD) Students were affected by a data breach which released their personal information this past November. Students, both graduated and still enrolled in BVSD, had their first and last names compromised as well as their date of birth.

Even though the data breach happened in 2018, and Pearson discovered it in March of this year, they only alerted the district nine months after the fact.

Documents obtained by the Royal Banner show that Pearson attempted to mail notification of the breach to BVSD as early as July 19th of this year but, due to a mailing address error, the district only heard of the breach on August 1st.

An unknown third party obtained the information through Pearson Education’s AIMSweb 1.0 program.

“Teachers use AIMSweb to provide support for students who could have an Individualized Education Plan,” said Superintendent Rob Anderson. “The system allowed teachers to track what [students] were doing and how they were helping kids.”  

Pearson — which provides BVSD with standardized testing material, textbooks and other resources — did not respond to a request for comment.

“Pearson is saying that they don’t believe the data is being used maliciously, and that tells me that they likely have more information than they’re able to share at this time,” said Andrew Moore, the Chief Information Officer of the BVSD.

As recent incidents like this one concerning data privacy have caused worry, BVSD has attempted to step up their data security protocols.

“With this breach and some of the other huge breaches that we’ve seen recently, we’re on heightened alert to make sure we are keeping everyone’s information safe,” said Anderson.

Since the breach happened to Pearson’s software, Anderson said that board members are deciding if they will hold a public discussion with Pearson regarding their responsibility in this incident.

“[T]here could be a hearing. I think our board is still considering whether or not to have a public hearing to bring Pearson to the table to talk about this breach,” said Anderson.

The district is also focusing on making sure a repeat of this event doesn’t happen again.

“We’ve sent formal requests to Pearson asking for a specific audit information that they are obligated to provide us,” said Moore.

In addition, the superintendent commented that, in the future, the school district would be open to pursuing an increase in communication with 9-12 grade students regarding such concerns about information privacy.

“Whose information was it? It’s not your parent’s birthday [that was leaked], it’s yours,” said Anderson.

The district only addressed letters regarding the compromised data to the parent or guardian of the enrolled student whose data was compromised.

BVSD also submitted an invoice for the cost of those letters to Pearson, costing the company more than 50,000 dollars.

“We’re fortunate […] that we’re not aware of any of the breaches that happened prior to that Pearson breach. But I can tell you, it’s the thing that keeps me up at night, protecting student identities, students’ information that we do have,” said Moore.

Anderson said that district staff have worked to increase data security across the state, and are reviewing the data outside vendors have on BVSD students.

Yet, as public dissatisfaction about the number of vendors BVSD outsources to increases, Anderson is reluctant to move away from this practice.

“I don’t think that we’re ever going to live in a world where we’re doing this all on our own […] I think that is the nature of the business, what education is today.”