‘Pre-9/11 mindset’ could lead to devastating cyber attacks, GOP rep says
SYRACUSE — A recent national data breach targeting education publishing giant Pearson that could compromise the personal information of students and school staff is amplifying the regional conversation surrounding cybersecurity in central New York.
Officials from the Central New York Regional Information Center (CNYRIC) met with central New York education leaders last week to discuss new information on recent data breaches that affected student names, dates of birth, ID numbers and in some cases email addresses.
CNYRIC officials stressed the attack focused on Pearson and “no component school districts suffered any cyber security breach of information internally.”
Oswego City School District (OCSD) officials want to assuage public fears by noting the breach affects old, outdated data while slamming Pearson for its allegedly deceptive actions in the breach aftermath.
“Our biggest objective is to reassure to parents that this isn’t a cyberattack directly on our district,” OCSD Superintendent Dr. Dean Goewey told The Palladium-Times Friday. “This is a security breach targeting Pearson, which included students and staff in Oswego and most of whom date as far back as 2008 in our system. We have not used the Pearson system in six or seven years and the breach did not provide any significant data from our district to the hackers.”
Goewey added the district has sent letters home notifying those whose data is believed to be compromised.
The superintendent said the district was initially led to believe the data breach — which took place in November of last year and was originally reported by the FBI in March 2019 — “wasn’t that big a deal.”
“It wasn’t until late (Thursday) that we found out how many hundreds of students and staff were affected,” he said. “So we really did not know the seriousness of it until this afternoon because we were misled by Pearson.”
Based out of London, Pearson issued a release on their website in response to the breach.
“While we have no evidence that this information has been misused, we have notified the affected customers as a precaution,” the company stated. “We apologize to those affected and are offering complimentary credit monitoring services as a precautionary measure.”
CNYRIC officials said they plan on developing and overseeing enhanced privacy measures to ensure protection with private companies such as Pearson using provisions in New York’s Education Law 2-D. Education Law 2-D works to safeguard personally identifiable information by analyzing and protecting the integrity of cybersecurity.
“CNYRIC is constantly striving to ensure that district data and personally identifiable information is protected; aligning ourselves with Education Law 2-D requirements will help ensure privacy protection with third-party vendors in the future,” CNYRIC Director Pamela Mazzaferro said in a release Friday.
The New York State Department of Education in 2015 ditched Pearson as its standardized testing contractor amid widespread dissatisfaction with state testing. Minneapolis-based Questar Assessment Inc. has since taken over the job.
The day after education leaders gathered for their conclave on the Pearson breach, central New York elected officials and federal cybersecurity experts met at the Onondaga County Water Authority office to address recent network attacks affecting local online infrastructure.
U.S. Rep. John Katko sits on the House Homeland Security Committee in Capitol Hill and organized the Friday roundtable meeting, inviting members of the U.S. Department of Homeland Security and local officials to discuss cybersecurity for localities.
“How many more (affected districts) do you have to have before we realize they have to prioritize (cybersecurity) from a funding standpoint?” Katko asked of the Pearson data breach.
In repeated occasions during the discussion and in further interviews with reporters, Katko equated the current state of digital information vulnerability to a “pre-9/11” environment.
“There are a lot of indicators that something really bad could happen if we let our guard down,” the congressman said. “We let our guard down before 9/11 and paid a dear price for it.”
Katko, R-Camillus, urged businesses and private entities to understand the severity of cyber attacks, noting cybersecurity is an area where the federal government has improved its interagency communication.
“It’s up to us to make sure we’re constantly doing a better job, scouring our systems, having best practices, sharing information and making sure our guard is up at all times,” he continued. “We can never let our guard down because if you do, we’re going to have a catastrophic event.”
Katko, who was named the ranking member on the Cybersecurity, Infrastructure Protection & Innovation Subcommittee earlier this year, introduced legislation in March, aiming to create an advisory committee and “institutionalize the information sharing between government and businesses on a more rapid basis.”
The congressman also said he will introduce legislation to help localities secure funding that will go to improving their cyber defenses.
“Like we’ve heard today, the school district or library they can’t always afford to do all the software updates they need,’’ he said. “Maybe we can provide sources of grant funding for them and increase those pools of money so that they can then make their systems more secure.”