Student Information Privacy Concerns Arise from Colonial Busing Website
Parent says he accidentally discovered way to see busing, personal information for other children.
Last Friday, Alan Fiermonte, father of two elementary-aged children, received a letter in the mail from the Colonial School District making him aware of a new "Versatrans" webpage. The letter told him how to log on to the site, in order to access information about his children's bus schedules.
Fiermonte went to the computer and entered his child's user ID, a unique numerical code assigned to all students in the district, and the account's matching numerical pass code. However, when he began to look through the website, he realized he was viewing a different child's account, complete with home address, home phone number, birth date, and bus schedule information.
That's when he realized his error: he mistakenly entered an 8 as the last digit of the user ID and password, instead of a 7, and ended up in a different child's account. Fiermonte further realized that his child's unique user ID, along with matching password, was only one sequential digit off from another student's.
Fiermonte critical of district data policies
Fiermonte says that he has long been critical of the district's data policies, mainly due to a perceived lack of communication with parents, but says that the Versatrans system became an immediate concern.
"Versatrans is the first time I've seen that much data on a web resource," Fiermonte says. "But if this is a common theme using [X]-digit pass codes, then you start to understand the overall base security."
Patch investigated the apparent vulnerability, starting with Fiermonte's child's account, and was able to access six accounts in nine tries.
While the Versatrans system does allow parents to change the login password, thus preventing such access, they are not prompted to do so by the system. In addition, Fiermonte says the letter sent home did not instruct parents to change their password.
District employees say data is secure
By the time we spoke with Fiermonte, he had already alerted the district to the issue, and Colonial employees told Patch the problem was fixed by Sunday, and also further explained what happened.
"We used to mail out bus schedules to our parents, and in an effort to cut down on paper… one of the things we've been moving toward is a computer system that has [bus] scheduling information," said district Community Relations Coordiator David Sherman, adding that Versatrans is a third-party vendor. "The transportation department became aware on Sunday… that there were addresses and phone numbers that could be accessed. That was shut off Sunday morning."
Sherman and Chief Information Officer Andrew Boegly went on to express confidence in the district's technology security. Boegly explained that each student is assigned an ID that he or she uses to log on to various systems, including the school's main network, and the HUB-- an online gateway-- when at home. High school students and all district staff are allowed to and are even required to change their passwords, while elementary students are not because of the concern they could forget their passwords, Boegly said.
Boegly also said that the Fiermonte's concern about base security was unfounded. With the exception of the Versatrans mishap, Boegly says that private student data is not available upon logging into any district servers or accounts, and that students primarily use the systems to access curriculum.
Some Versatrans data still available?
However, that still leaves the issue of Versatrans. After Patch spoke with the district on Monday afternoon, we attempted to access the Versatrans system, and once again had success. While the sections for phone numbers, birthdays, and home addresses were removed, the student's name and individualized time and location for bus stops were still available in each account we accessed.
Fiermonte told Patch he was concerned with the ease in which that data could be accessed, whether it be accidentally or on purpose.
"[X]-digit pass codes are too simplistic, and young kids can be socially engineered to give them out,” says Fiermonte. "It can be easily accessed by somebody going online and starting to type [X]-digit numbers, or by creating a program to harvest this data."
Patch reached out to Ryan Fetterman, a security engineer for Booz Allen Hamilton who works closely with network vulnerabilities, and described the system. Fetterman says that Fiermonte's concern about access wasn't off the mark.
"If someone were to discover the scheme used for assigning numbers, they could systematically exploit the system using automated tools or custom scripting, revealing the information of any child who had kept the same password," Fetterman said.
However, district officials say they monitor who accesses the school's systems.
"This was a piloted program, and there were 11 parents who accessed data, from our records," Sherman said. "We know who accessed what."
"We have log files of all activity within the network, and external access as well," Boegly continued. "So we know through our intrusion detection and other security pieces we have in place whether or not we're vulnerable to any threat."
Versatrans aside, Fiermonte says he would like to see more communication from the district on the issue of data security.
"I want to know where my kids' information is located," Fiermonte says. "I'd like a letter from the district that says 'we have this data, here's how we're keeping it, here's where we're keeping it.'"
School officials reiterated to Patch that they believe all data is secure.
"Our [data] has always been secure," Boegly said. "We do technical audits every other year for that purpose, and we're audited by the state every two years."
Parents who wish to change their Versatrans password may do so by logging into the system, clicking "options" in the upper right-hand menu, and then selecting "change user profile." Fetterman says that the more complicated a password is, the better.
"The strongest passwords use high character length, special characters, upper and lower case characters, and numbers," Fetterman says.
[Editor's note: Patch withheld some specific information, including the use of "[X]-digit" when describing the length of student ID codes, for security purposes.]