Maryland Gov. Larry Hogan (R), center, appears with State Superintendent of Schools Karen B. Salmon and Glenn Fueston, the executive director of the Governor’s Office of Crime Control and Prevention, on Feb. 28, 2018. (Brian Witte/AP)

“Sensitive, personally identifiable information” of more than 1.4 million students and more than 200,000 teachers was improperly stored by the Maryland State Department of Education, leaving them at risk of identity theft, according to a recent audit.

The review found that the department stored the names and Social Security numbers of students and teachers “in clear text,” even though Maryland’s information security policy calls for confidential data to be protected using encryption or other “substantial” mitigating controls.

As of June 2018, the personal information did not appear to be adequately protected by data-loss prevention software.

“Appropriate information system security controls need to exist to ensure that this information is safeguarded and not improperly disclosed,” said the audit, which was published this month.

The report on deficiencies in the state network was released as governments and private entities are working to protect their computer networks and databases. Maryland reported this month that hackers had gained access to the names and Social Security numbers of as many as 78,000 people from two older databases run by the state Labor Department. The information, accessed in April, belonged to people who received unemployment benefits in 2012 or sought general equivalency diplomas in 2009, 2010 or 2014.

The audit of the Education Department, released this month, found that the state did not have assurances that student data that was managed by third-party contractors was properly stored. The department also lacked a “complete information technology disaster recovery plan” or sufficient malware protection to provide “adequate assurance that its computers were properly protected,” according to the review.


Thousands of Maryland teachers march on the State House about school financing and other education concerns in Annapolis on March 11, 2019. (Marvin Joseph/The Washington Post)

The Office of Legislative Audits, which conducted the review from June 2014 to December 2017, identified 15 servers that were using an outdated operating system that had not been supported by the developer since 2015.

“Updates have not been provided for this software to address newly discovered software vulnerabilities,” auditors wrote.

As of July 3, 2018, according to the audit, 249 of 483 computers in the department were using outdated software, including some that was last updated in 2010.

An Education Department spokeswoman could not immediately be reached for comment.

In a written response to the audit, State Superintendent of Schools Karen B. Salmon largely agreed with its findings. She told auditors that most of the recommendations dealing with the computer network and database would be implemented by the end of September.

The department plans to review its automated applications and identify those that contain personal information for students and teachers. It said it will determine what information needs to be retained and delete the rest.

Salmon said the Education Department’s information technology division, along with the state Department of Information Technology, will use an approved encryption method “or implement substantial mitigating controls” on systems that contain personal information.

The department said it will require third-party contractors to provide reviews of their systems and plans to work with the state IT department to create a disaster recovery plan.

Salmon said the department, and the state IT office, reviewed the 15 servers identified by auditors as running outdated operating system software and found that seven of the servers had been decommissioned.

The other eight servers are scheduled for “migration or replacement” this year.

Last month, Gov. Larry Hogan (R) signed an executive order to create a position to address cybersecurity concerns across state departments and to form a panel made up of nearly a dozen agency heads to implement cybersecurity initiatives.