Skip to main content
close search
site logo
Deep Dive

Keeping student data safe while at the mercy of third parties

Partnering with outside vendors can present a data security challenge for schools

Published Oct. 6, 2016
By
Tara García Mathewson Contributing Editor
Flickr user luckey_sun

When cybersecurity startup UpGuard assessed the websites of eight learning management system companies, they found the most popular, Blackboard, had the highest risk of security breaches and hacks.

UpGuard’s CyberSecurity Threat Assessment Report, or CSTAR, provides a FICO-like score based on risk. From the outside, CSTAR assesses industry breach patterns and employee satisfaction ratings, security risks on company websites, and protection against third-party impersonation for fraudulent communications, assigning a score that, like a person’s credit score, tops out at 950. An internal scan can go deeper to assess system vulnerabilities, regulatory compliance, and network integrity, but a basic scan assesses the security risks visible to hackers.

The results of the basic scan show the Google Classroom website gets a CSTAR score of 893, followed by Schoology at 877, Engrade at 870, Moodle at 837, Edmodo at 836, Talentlms at 751, and Blackboard at 334.

The vulnerabilities that tanked Blackboard’s score, however, are all relatively simple and cheap to address.

“If I were the system administrator for Blackboard and someone said you have to fix this in a week, it could be done,” said Alan Sharp-Paul, co-founder and co-CEO of Upguard.

When presented with these results, Blackboard spokesman D’Anthony White said the website and related servers assessed by CSTAR are used exclusively to manage the corporate website.

“The hosting and network infrastructure that power and run all Blackboard products is completely decoupled from our corporate website servers and therefore not reflected in the analysis,” White said.

Still, he said the company is working to address the issues identified by the analysis.

Tustin Unified School District in southern California uses PowerSchool Learning, which also scored low on UpGuard’s security assessment based on its corporate website. Still, Tustin Unified Senior Director of Technology Robert Craven says the district has the benefit of relatively strict data protection and privacy laws that have been in place for almost two years at the state level. They provide a platform from which to negotiate with third-party vendors about how much student data needs to be shared and how it will be protected.

“We’re always trying to give as little data as we can to those companies in order to get the services that we need for our students,” Craven said.

The district is moving toward more centralized approvals for classroom use of educational applications. In this model, district officials have the final say over whether or not teachers can use new apps, which limits how much student information is actually being handed out to third parties.

“That impacts the pace,” Craven said. “I recognize that can be a challenge for teachers, but I think the bigger challenge is keeping our students’ identities safe.”

Craven has found teachers are generally receptive to slowing down in the name of safety and Tustin’s IT staff members are happy to provide alternative apps if the ones teachers select are unsafe. Vendors are also receptive to the district’s data concerns and willing to work with staff to make necessary changes to how much information they collect and store off-site.

If hackers can get access to the district’s stash of personal information, they’ll find names, addresses and birth dates  all the information they would need to open fraudulent accounts. And in the case of students, that information isn’t tied to an existing credit history or necessarily monitored for identity theft.

Besides potential threats presented by sharing data with third parties, Tustin, like school districts across the country, must brace itself against external attacks. Using its firewall, the district blocked high-risk countries from being able to make contact with its network, restricting entire IP ranges.

Still, Tustin Unified is constantly getting attacked or probed by hackers.

“It’s ongoing," Craven said. "Every second or every couple seconds, someone is looking for a way in."

The pace of cyberattacks has led to one positive outcome – widespread acknowledgement of the threat. School boards and district leadership seem to be more willing to allocate money to beef up security than they were even five years ago. And tools like UpGuard’s are popping up to help administrators compare their options when it comes to forging new ed tech partnerships.

To get a CSTAR report for any website, visit www.upguard.com and paste in the URL.

Filed Under: Technology, K-12

Editors' picks

Company Announcements

View all | Post a press release
Adaptive Reader Raises Pre-Seed Round to Expand Accessible Reading Solutions for All Learners
From Adaptive Reader
January 10, 2025
KinderLab Robotics Expands its KIBO Robotics Curriculum to Include Grades 3-5
From KinderLab Robotics
January 07, 2025
Breaking Barriers: La Promesa High School Transforms Learning for Newcomer Students through Sc…
From Timely
January 13, 2025
VHS Learning’s Spring 2025 Registration Open; Classes Begin January 29
From VHS Learning
January 10, 2025
Editors' picks
Latest in Technology
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.