For Immediate Release: January 22, 2018
JACKSON, Miss – The Mississippi Education Department’s (MDE) assessment vendor, Questar Assessment, Inc., reported today that 663 students in the Tupelo and Jefferson County school districts were affected by the data breach the company discovered last week. This represents a fraction (0.26%) of the to 258,501 computer-based test takers in spring and fall 2017. Questar had originally reported the breach related to tests administered in 2016.
Questar’s preliminary analysis found that an unauthorized user viewed student assessment records between December 31, 2017 and January 1, 2018, from Tupelo Middle School, Tupelo High School and Jefferson Junior High School. The unauthorized viewer gained access to student names, Mississippi student identification numbers, grade levels, teacher names and test results. One student record viewed contained demographic data.
Dr. Carey Wright, state superintendent of education, spoke personally to Questar President Steve Lazer to demand that Questar take immediate action to ensure no further data breaches occur. Lazer assured Wright that Questar is acting swiftly to ensure Mississippi’s data remains safe and secure.
“The MDE takes very seriously the confidentiality of student information, and any breach of our records will not be tolerated,” Wright said. “Even though this incident is isolated to a fraction of students, any type of breach is unacceptable, and we are holding Questar accountable to ensure this never happens again.”
Following the discovery of a similar breach in New York, Questar has closed the accounts of all former employees and has hired a third-party audit firm to perform a security audit of its systems.
The MDE is requiring Questar take immediate action including:
Use a third-party audit firm to conduct a security audit of Questar’s systems and security protocols, policies and procedures;
Submit a written corrective action plan to the MDE by January 29, 2018, detailing the actions Questar has taken and will take to ensure that this does not occur again in the future.
Force password resets;
The MDE does not share student addresses and social security numbers with Questar; and therefore, this information was not accessible.
Questar first notified the MDE about the breach on the afternoon of January 18, 2018. On January 19, 2018, Questar provided additional information, and earlier today, Questar provided the MDE with the names of the affected students and schools.
The MDE has notified the superintendents of the affected districts and will issue a letter to every student who were affected. The breakdown of schools and students affected is as follows:
# of Students Affected
Tupelo Middle School
Tupelo School District
Tupelo High School
Tupelo School District
Jefferson County Junior High School
Jefferson County School District