Boulder Valley School District recently mailed about 60,000 letters to current and former students to alert them their names and birthdates may have been exposed in a Pearson data breach believed to have happened late last year.
“In this day and age, data is a concern for all of us” said Andre Moore, Boulder Valley’s chief information officer. “We take that seriously. We do everything possible to ensure the data is safe.”
A third party accessed a data set used by Pearson’s AIMSweb 1.0 platform, used by Boulder Valley primarily to monitor student progress. Accounts at more than 13,000 schools and universities were affected.
Pearson, an education software company, learned about the breach in March. Pearson launched a review, including working with cybersecurity experts and the FBI. The breach appears to have taken place in November 2018.
Pearson notified Boulder Valley of the data breach on Aug. 1, Moore said. The district then launched its own investigation and decided to send letters notifying all potentially affected students.
In the St. Vrain Valley School District, a handful of students at a single school who attended during the 2010-11 school year might have been affected, said district spokeswoman Kerri McDermid. She said families of those students were notified earlier this month.
According to Pearson, there’s no evidence the students’ information has been misused. But, as a precaution, Pearson is offering a year of free identity or credit monitoring through Experian to those affected.
Names and birthdates, Moore noted, generally aren’t enough information to harm a person’s credit or steal an identity.
Along with covering the cost of identity or credit monitoring, Pearson is paying for Boulder Valley’s mailings.
Moore said it is up to parents, and former students, if they want to trust Experian with their information for monitoring.
He added that he is available to talk to parents one-on-one about their concerns about the breach and Boulder Valley’s policies.
“In general, parents have been very understanding of this,” he said.
While Boulder Valley still contracts with Pearson, the company has phased out the AIMSweb 1.0 platform — a decision that was made separately from the data breach, according to Pearson.
No additional district data was found to be at risk, Moore said, adding the district has contracts with vendors that stipulate they can’t sell student data and are responsible for notification costs in case of a breach.