Personal details belonging to millions of teachers, pupils and parents who use Edmodo, the ‘Facebook for schools’ application, are reportedly on sale on the dark web.
A hacker reportedly stole millions of account details from the education platform, which has more than 77 million users – more than 2 million of them in the UK – across 550,000 schools worldwide.
While the platform is more commonly used in the US, the company told Schools Week it was “likely” that information from UK accounts was involved.
Teachers, pupils and parents can communicate on the app, which operates as an online classroom.
According to the US news website Motherboard, the hacked personal details include usernames, email addresses and passwords.
We strongly recommend that they [users] change their passwords
The site said these details were now for sale on the dark web, a section of the internet accessible only with special software, allowing website operators to remain anonymous.
Mollie Carter, Edmodo’s vice-president of marketing and adoption, said the app had additional security layers, including encryption. There were no indications any user passwords had been compromised.
“Safeguarding the trust and security of our users is of the utmost importance to Edmodo . . . as a precaution, we have reached out to our users in the UK and elsewhere to let them know about the situation and to strongly recommend that they change their passwords.”
She said the company, based in California, had reported the incident to police, called in information security experts and was taking “additional steps to protect Edmodo users”.
It’s the latest cyberattack to affect education. Schools Week revealed in January how fraudsters posing as government officials were contacting schools in attempts to hold important computer files to ransom.
In April, 64,000 examiners belonging to exam board AQA had personal details such as phone numbers and addresses hacked.
Jen Persson, from DefendDigitalMe, a campaign group calling for more transparency with pupil data, said the breach showed that urgent action was needed to address “how poorly pupil data protection and privacy is handled in schools”.
But she said new data protection legislation due to be introduced in the UK from May next year would force many schools to “sharpen up their thinking” around data compliance.
“A teacher won’t be able to just think ‘I’ll sign up all my kids’ without thinking how the app is using any of their personal data or identifying data.”
She also said schools would have to have a named person responsible for data-protection compliance, ensure data security policies were in place for staff, and ensure any personal data about children was deleted when it was no longer necessary.
The group hoped to offer free advice to schools from autumn.
Joshua Perry, director of Assembly, an edtech data platform co-founded by Ark to help schools to do more with data, said schools should challenge any companies processing their data that didn’t have clear privacy and security policies.
He said Assembly, for instance, offered a “privacy hub”, containing clearly written policies alongside a video explaining how their platform worked.
He added companies handling large amounts of sensitive data should also consider extra safeguards such as encryption of personally identifiable information.
But while big data breaches tended to get press coverage, a more common problem day-to-day involved schools sharing unprotected spreadsheets of data via email and other methods.