A data breach of a test provider has affected Mississippi schools
Questar’s preliminary analysis found that an unauthorized user viewed student assessment records between December 31, 2017 and January 1, 2018, from Tupelo Middle School, Tupelo High School and Jefferson Junior High School. The unauthorized viewer gained access to student names, Mississippi student identification numbers, grade levels, teacher names and test results. One of the student records viewed contained demographic data.
Questar first notified the MDE about the breach on the afternoon of January 18, 2018. On January 19, 2018, Questar provided additional information, and earlier today, Questar provided the MDE with the names of the affected students and schools.
The MDE has notified the superintendents of the affected districts and will issue a letter to every student who were affected. The breakdown of schools and students affected are listed below.
School | District | # of Students Affected |
Tupelo Middle School | Tupelo School District | 490 |
Tupelo High School | Tupelo School District | 72 |
Jefferson County Junior High School | Jefferson County School District | 101 |
The MDE says that they don’t share student addresses or social security numbers with Questar.
State Superintendent Dr. Carey Wright has notified the Attorney General Jim Hood’s Office and following the announcement, Wright says that they will seek action from the company.
“The MDE takes very seriously the confidentiality of student information, and any breach of our records will not be tolerated,” Wright said. “Even though this incident is isolated to a fraction of students, any type of breach is unacceptable, and we are holding Questar accountable to ensure this never happens again.”
The department has requested the following corrective action be taken by Questar.
- Use a third-party audit firm to conduct a security audit of Questar’s systems and security protocols, policies and procedures.
- Submit a written corrective action plan to the MDE by January 29, 2018, detailing the actions Questar has taken and will take to ensure that this does not occur again in the future.
- Force password resets.
Questar released a statement following the data breach saying that they are working with officials to create those preventive measures to ensure that this type of breach doesn’t happen again.
“Questar has notified The Mississippi Department of Education that two school districts in Mississippi were subject to recent unauthorized access to our systems and to data in our care. Any unauthorized access to data is unacceptable. Questar took immediate action to address the unauthorized access. In addition, Questar will cooperate fully with the Mississippi Department of Education to implement requested preventative activities. Based on the actions Questar has taken in response to this event, we believe there is no ongoing impact to Questar system users.”
Questar administers Mississippi’s statewide assessments in English language arts and mathematics, Algebra I and English II.
The release included New York in the announcement of the data breach.