The Hechinger Report is a national nonprofit newsroom that reports on one topic: education. Sign up for our weekly newsletters to get stories like this delivered directly to your inbox.

education vendors
Credit: Credit: Frazer Hudson/Getty Images

Nearly half of the more than 1,200 education technology vendor websites used by teachers and students, and checked in an October audit, did not include a secure log-in, according to a new survey.

This makes these programs vulnerable to a security breach – a school leader’s nightmare.

“We want people to fix this,” said Bill Fitzgerald, director of the Privacy Initiative at Common Sense Media, a nonprofit organization that provides tools to help schools and parents assess the merits of technology and media use. “We don’t want to talk about encryption. We want to talk about pedagogy.”

Some might think that hackers only target high-profile groups such as politicians and banks – but that’s a mistake. Schools, both K-12 and higher education, have been victims, too. More than 780 breaches in schools, resulting in the disclosure of more than 14,790,000 records, have been reported since 2005, according to the Privacy Rights Clearinghouse, a California-based nonprofit consumer advocate.

The survey by Fitzgerald’s team sought to find out how many programs support the use of encryption, which helps protect information online. The report found that only 51 percent of the educational program websites checked provided this protection. Both small and large companies that offer programs to schools provided websites without encryption. And in some cases the companies provided the security only for districts in states that mandate it. (To avoid compounding the problem, the report does not disclose the names of which programs have security problems.)

The consequences of a security breach can be devastating. Parents trust that school leaders are being careful, and even a small-scale problem can cause them to doubt if it’s worthwhile to use online programs in the classroom. And if teachers are using the same username and password across multiple sites – a no-no, but some do it regardless – then one breach on one site can lead to widespread security issues.

So what can educators do? Schools should check to be sure the websites being used by teachers and students are encrypted, Fitzgerald said. This can take some time, sometimes 30 minutes to an hour, but it’s worth it to put in the work before there is a problem. It can cost 10 to 20 times more in time and money to clean up a crisis than to do the prevention work, he estimates. (Common Sense media provides tips on how to do this.)

“Most of the time it takes a breach or a news story for districts to step up their game,” Fitzgerald said. “When that happens it’s already too late.”

The tests run by Common Sense Media set a very low bar – meaning the problems could be even worse than reported. They tested the websites by running an automated program that checked to see if the log-in page was secure. It was not able to see if that protection carried over once users were logged in – another area where some websites can have problems.

Fitzgerald and his team plan to run their audit again in the coming months to see if companies have fixed the problems they found.

This story was produced by The Hechinger Report, a nonprofit, independent news organization focused on inequality and innovation in education. Read more about Blended Learning.

The Hechinger Report provides in-depth, fact-based, unbiased reporting on education that is free to all readers. But that doesn't mean it's free to produce. Our work keeps educators and the public informed about pressing issues at schools and on campuses throughout the country. We tell the whole story, even when the details are inconvenient. Help us keep doing that.

Join us today.

Letters to the Editor

At The Hechinger Report, we publish thoughtful letters from readers that contribute to the ongoing discussion about the education topics we cover. Please read our guidelines for more information. We will not consider letters that do not contain a full name and valid email address. You may submit news tips or ideas here without a full name, but not letters.

By submitting your name, you grant us permission to publish it with your letter. We will never publish your email address. You must fill out all fields to submit a letter.

Your email address will not be published. Required fields are marked *