A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.
Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, social security numbers, disability status or test scores.
New York Attorney General Eric Schneiderman’s office has opened an investigation, spokeswoman Amy Spitalnick said.
The data breach affected one other state, Questar Chief Operating Officer Brad Baumgartner told The Associated Press. He declined to identify it, saying he could not disclose client information.
Most Read Nation & World Stories
- House condemns Trump 'racist' tweets in extraordinary rebuke VIEW
- Diver stumbles upon a giant jellyfish as big as she is: Watch the video
- Here are the Republicans who broke with their party and other takeaways from the vote on Trump’s language
- Notre-Dame came far closer to collapsing than anybody knew VIEW
- Prosecutors want Mexican megachurch leader held without bail VIEW
“Even though access was to a very minor amount of data any unauthorized access to data is unacceptable,” the company said in a statement. “Questar took immediate action to address the unauthorized access.”
Elia said the state first learned of the breach on Tuesday but was not told the names or schools of those affected until Thursday. The students, who represent a small fraction of those who took computer-based tests this past spring, attended five schools: John F. Kennedy School, Great Neck; Menands School, Menands; School 2, Oceanside; Public School 15 Jackie Robinson, Queens, and St. Amelia School, Buffalo.
On a conference call with reporters, Elia said she could not speculate on the reason the data was accessed, but said it would have no obvious use.
“We can’t see any reason that anyone would do it,” she said.
She said Questar had indicated that it suspected a former employee, but Baumgartner told the AP that there was not any evidence to support that.
“At this time, the person is unknown to us,” he said.
The state Education Department wants Questar to detail by Jan. 26 what steps it will take to prevent future breaches and to have an outside expert audit the security of its systems, security protocols and procedures by Feb. 20.
New York replaced test vendor Pearson with Questar in 2015 amid a backlash over standardized testing. The five-year, $44 million contract tasked Questar with developing new grade 3-8 English language arts and math assessments that districts could choose to administer via computer.
About 28,000 students took the latest assessments electronically, while an additional 60,000 students field-tested computer-based tests, Elia said. Although the majority of students in the state’s nearly 700 school districts still take the tests with paper and pencil, eventually all testing is expected to shift to computers.
“Any breach of student data, no matter how small, is unacceptable,” said Carl Korn, spokesman for New York State United Teachers, a statewide teachers’ union. “While it appears the State Education Department caught this quickly and responded appropriately, it underscores the serious concerns that parents and teachers have about the state’s rush to adopt computer-based testing.”
Ian Rosenblum, executive director of The Education Trust-New York, an advocacy group, praised the state’s response and said the incident should not undermine the assessment program which, he said, “has a critical role in ensuring schools and districts are serving all students and promoting equity.”