After a data breach in 2018, a test provider for the Mississippi Department of Education has agreed to strengthen their cybersecurity.
Questar, one of several test providers for the MDE, was the target of a data breach in January 2018. During the breach, an unknown hacker gained access to testing data for over 650 students in North Mississippi.
“The MDE takes very seriously the confidentiality of student information, and any breach of our records will not be tolerated,” State Superintendent Dr. Carey Wright said at the time. “Even though this incident is isolated to a fraction of students, any type of breach is unacceptable, and we are holding Questar accountable to ensure this never happens again.”
The proper protocol was followed at the time and it appears that the data was not used “maliciously”, according to Attorney General Jim Hood.
After the breach, Questar stated that they would fully cooperate with the MDE to ensure that this would not happen again. The company has now voluntarily entered into an ‘Assurance of Voluntary Compliance (AVC)’ with the Attorney General’s Office in an attempt to improve their cybersecurity practices.
The AVC requires the following of Questar:
- Comply with the Mississippi Consumer Protection Act
- Promptly notify the MDE and law enforcement of any breach of security resulting in an unauthorized release of student’s personal information
- Coordinate with MDE to notify students and parents of any breach
- Follow a Comprehensive Information Security Program including the following:
o Designate a Chief Information Security Officer (“CISO”)
o Conduct an annual risk assessment and implement safeguards pursuant to the assessment
o Train employees on privacy and cybersecurity
o Regularly test effectiveness and improve accordingly
o Select and retain service providers capable of safeguarding students’ personal information
- Follow a Comprehensive Information Security Program including the following:
- Revoke all terminated Questar and MDE employees’ network access within two business days of said termination
- Encrypt student’s personal information or use alternative effective controls in any instance where encryption is not feasible (which shall be documented)
Appoint a Patch Supervisor who shall be responsible for timely implementing security updates and security patch management
“While we don’t know why the hacker accessed the information, fortunately, so far, we do not have evidence that the student information was taken and used maliciously. Questar has voluntarily cooperated with us to address our concerns regarding the company’s cybersecurity,” General Hood said regarding the agreement. “It’s important that state agencies contract with companies who prioritize safe handling of student data and personal information.”
Questar administers Mississippi’s statewide assessments in English language arts and mathematics, Algebra I and English II.