Getting to and from school is supposed to be a safe activity – supposed to be. But, if your child rides the school bus, there may be more nonsense going on than them getting a noogie or getting their pigtails pulled.
Security company Tenable says it found security flaws in Edulog's Parent Portal, which thousands of K-12 districts use to enable parents to follow their students' bus routes.
If you’re thinking it’s no big deal, think about this: If someone cunning enough wanted to pinpoint the names of students, what bus they’re riding on, how to contact their parents, the bus’s current location, pick-up and drop-off times, and notifications about delays or route changes, wouldn’t you be a little worried?
It's undetermined just how many kids and parents were at risk. Edulog doesn’t disclose an exact number of app users on its website and did not respond to a ConsumerAffairs request for such data, but those 7,500 school districts it works with are in 49 US states.
Those include Henrico County Va., (Richmond) where school buses transport 28,000 students daily, Durham N.C., where 18,000 students ride the bus, and Jefferson Co. Public Schools (Louisville) where some 10,000 parents reportedly have downloaded the app after a massive bus issue that caused the school district to close school for a week.
Edulog takes action – but was it enough?
Fortunately, this story’s ending is half good and half, hmm. When Tenable made Edulog aware of these gaffes, Edulog sat up, listened, and patched the flaws, so they aren't exposed to cybercriminals anymore.
The flip side of this is that ConsumerAffairs understands that Edulog has decided not to tell customers that there ever was a security issue, so it’s possible that parents will remain in the dark that their kids could have been tracked by bad actors unless school districts opt to go public with that information.
“Even without the vulnerabilities discovered in the Parent Portal services, there isn’t necessarily anything stopping a malicious actor from signing up for an account and obtaining a registration code for a given school through other means," Jimi Sebree, senior staff research engineer at Tenable said.
"The actor could ask another parent, call the school and pretend to be a parent or simply search for one on the internet."
ConsumerAffairs asked both Edulog and several school districts what was being done in light of the report. Only Peoria Unified (AZ) responded, saying it is working with Edulog on the issue and to its knowledge, there has not been any data breach of its students' data.
Parents, school districts need to take action
Getting to and from school is supposed to be a safe activity, and this is just one of the hundreds of apps and software schools use every day. However, app companies can play it loose with apps that school districts suggest their students use. One report found that 96% of educational apps share children’s personal information with third parties.
“This is a situation where all those involved – Edulog employees, agents for the school districts, and parents using the services – are responsible for making sure the data relating to these services is handled properly,” Tenable said.
Tenable says that any parent concerned about their child’s privacy should examine what data the app developer says it’s using.
The App Store and GooglePlay stores both require apps to list permissions used by the apps. They don't necessarily require any transparency regarding the types of data collected, but if you’re a parent and want something more definitive as to what kinds of information schools are able to share with private parties, FERPA is probably the best reference.
Photo Credit: Consumer Affairs News Department Images
Posted: 2023-12-15 11:55:44