Personal data of 52 New York students is compromised after testing-company breach

More than 50 students across New York had their personal information compromised in a recent data breach, state education officials said Thursday, blaming the incident on a private testing vendor that has recently come under fire in other states for testing mishaps.

The vendor, Questar Assessment, Inc., suspects that a former employee illicitly accessed the names, student-identification numbers, schools, grade levels, and teachers of at least 52 students who took state tests on computers last spring, according to state education department officials. The breach occurred between Dec. 30 and Jan. 2, though Questar first notified the state on Tuesday, officials said.

The breach is likely to fuel the already widespread opposition among New York parents and educators to the state’s standardized tests, which nearly one in five students refused to take last year. In addition to criticisms about the content of the exams and how the results are used, some testing critics have raised concerns about whether private test-providers are able to safeguard students’ personal data.

The flub may also complicate the state’s drawn-out transition to computer-based tests, which are currently only used in a small number of schools.

In a conference call with reporters Thursday, State Education Commissioner MaryEllen Elia said the department had asked the state attorney general to investigate the matter and ordered Questar to take “immediate corrective action.” She noted that only a fraction of the roughly 88,000 students who took computer-based tests last year were affected, but said that is still unacceptable.

“Any data breach is unacceptable,” she said, “particularly when we’re talking about children’s information.”  

The affected students attend five schools across the state. In New York City school, 10 students had their information compromised. The students attend P.S. 15 Jackie Robinson in Queens, and took trial exams on computers this spring, not the actual state test, according to the city department of education.

New York hired Questar in part to quell testing anxiety after the state’s former test vendor, Pearson, made a series of missteps that inflamed the grassroots backlash against the state tests. Questar’s roughly $44 million contract runs through 2020 and requires the company to develop computer-based exams, in addition to paper tests.

The setback also threatens to make the switch to computer-based testing more arduous. While only 28,000 took last year’s state exams on computers (and another 60,000 took computer-based trial tests), the state hopes to eventually move all students to computer-based testing. The state has pushed back the transition for years, and on Thursday officials said they still do not have a “firm time frame.”

The data breach is just the latest testing flub involving Questar.

Last year, roughly 9,400 Tennessee students received incorrect test scores due to a glitch in Questar’s test-scanning program. And in Missouri, the state education department threatened legal action against Questar after a design problem with its exams meant that they could not be used to evaluate districts or compare student performance across the state, according to the St. Louis Post-Dispatch.

In New York, Questar notified state education department officials of the breach Tuesday afternoon, about two weeks after it occured. The officials immediately asked for more information and Commissioner Elia personally called Questar’s president, Steve Lazer, that evening, state officials said. However, the company did not provide the state with the names of affected students and schools until Thursday afternoon.

Officials on Thursday said they were in the process of notifying impacted schools and families.

The department is also forcing Questar to take a series of actions, including resetting the passwords of all user accounts, hiring an outside group to audit the company’s security protocols, and submitting a “corrective action plan” to the department that list the actions Questar has taken since the breach.

“Families deserve to know that their children’s information is safe,” said Amy Spitalnick, a spokeswoman for New York Attorney General Eric Schneiderman, adding that the office had opened an investigation into the breach.

A Questar representative said late Thursday that the company was preparing a written statement, but none was available at that time.