Like everyone else, our children currently are learning online. Our district has an online learning portal they sign into, and through that portal, they access their teachers’ instructions and learning apps paid for by the school. Under the circumstances, the ability of our educators and administrators to pivot to online instruction is mind-blowing. Unfortunately, that pivot comes at the cost of a seamless technological experience.
Early in the second week of instruction, my seven year old managed to sign into her account twice, generating a detailed error report. Now I am – at best – just clever enough to be dangerous. As a professional technical writer, I have been exposed to technical concepts ranging from the structural integrity of the Space Shuttle to the use of GPS technology on the new Orion vehicle. My experience is a mile wide and an inch deep; on a variety of subjects, I know just enough to be dangerous.
Looking at my daughter’s error message, I saw this data dump I barely understood, and I panicked, feeling certain it put our children’s personal information at risk. I called our district’s help desk and spoke to the least concerned help desk technician ever. He took my information and said he would file a report.
A week later, my seven and nine year old could easily replicate the trace, and it happened with such regularity that the nine year old started muttering about the school’s IT department. To be clear, my nine year old can barely start Minecraft on his own, and he thinks that Bon Jovi is totally metal. I feel like his scorn is the greatest condemnation our district’s IT department could have endured, but they didn’t appear to feel it. On the contrary, they stopped taking my calls.
Two weeks after the initial error, I got through to the help desk again. The exasperated technician told me that their security department was aware of the issue. “Do we even have a security department?” I barked back.
He sighed heavily. “Yes ma’am. We do, and they’re on the issue.” The next day, my children couldn’t work more than 15 minutes at a time without encountering the error. I called again, and the help desk technician hung up on me. I called the district’s main phone line and explained the issue, and the CTO called me about an hour later. He was not reassuring, offering me pat reassurances that everything was under control.
I knew a few things.
- An error message that reveals information about databases and servers could be used in a cyber attack.
- Cyber attacks on school districts are on the rise; I could easily point to story, after story, after story of school districts and municipalities being paralyzed by cyber attacks that are largely due to easily preventable IT security issues.
- Most importantly, all of my husband’s, adult daughter’s, young children’s, and my own PII are stored in the district’s computers and servers.
- In the middle of a pandemic, when I sometimes call day drinking and anarchy a win because we’re all breathing, I did not want to go to war with a school district that could spend me into bankruptcy on the first day.
Something inside me snapped. I felt trapped and endangered and dismissed all at once.
First I considered calling the press. If I had, I would have had my vengeance, at least. The PR nightmare for the CTO and the district superintendent would have been fun to watch, I admit. However, that would directly jeopardize our information, because now the general public would be aware that this trace existed and that it was potentially exploitable. Even if the data contained on the trace was utterly useless, it seemed to me that the best possible outcome of press coverage would be the publication of our district’s sloppiness in IT.
Sweet as the taste of vengeance would be, the potential consequences were worse.
And it was here, three weeks from the first error and in a confusion of doubting my knowledge, frustration with my district, and futile anger, that I remembered and called Consumer Affinity . I spoke with Steve, the company’s founder and CEO, and I sent him images of the error. He patiently listened to the details, and for the first time, I felt like a qualified IT security professional truly heard my fears and concerns and took them seriously.
After reading the errors, Steve took the time to educate me about how these errors were different from the kinds of errors that might have enabled, for example, a SQL injection attack. He explained what kind of information the trace actually revealed: mostly IP addresses and server names that might otherwise have remained hidden. Finally, he said the thing I most needed to hear: That as a former penetration tester and ethical hacker, he would not have regarded the information in the trace as particularly useful.
I ended my call relieved and educated. Steve could have said simply, “Nah, it’s no big deal.” I trust his company, and I would have taken his word for it. But Steve isn’t building that kind of company. He is in the business of teaching, and he eased my mind. He helped me breathe again and panic about one less thing in the middle of this pandemic.
In short, I recommend Consumer Affinity completely. They are not just another company focused on security. They’re focused on you. On your education, your peace of mind. Your security.