Education software firm addresses security vulnerabilities
May 20, 2021
A Canadian education technology company lacked a comprehensive information security framework to protect the personal information of hundreds of thousands of students, an investigation by the Office of the Privacy Commissioner of Canada (OPC) has found.
The investigation was launched following a complaint filed by a parent who had discovered security vulnerabilities in a software application adopted by his children’s school board.
The software application, called Edsby, is owned by CoreFour Inc, a company based in Richmond Hill, Ont. CoreFour handles the personal information of hundreds of thousands of children from across Canada and other countries.
The investigation found that CoreFour had implemented some effective security practices, but had not developed a robust, over-arching information security framework.
Such a framework could have potentially avoided the security vulnerabilities identified by the complainant and our Office’s own testing. In particular, the investigation identified weak password requirements for certain Edsby parental accounts, and inadequate safeguards to protect against unauthorized access to thumbnail images of student profile pictures. The investigation also highlighted the need to scan for malware when uploading content into Edsby from third-party apps.
The sensitive personal information entrusted to CoreFour included student grades, absence details, learning disabilities and health information related to, for example, allergies and medication. This information should be protected with heightened security safeguards commensurate with the volume and sensitivity of the information.
CoreFour was co-operative throughout the investigation. The company addressed the identified safeguards vulnerabilities and agreed to implement all of the OPC’s recommendations.
We appreciate the complainant having raised concerns, which through the investigation, has led to important improvements that will better protect the privacy of students. This was the OPC’s first investigation into “Ed Tech”, which has become increasingly prevalent in the context of remote learning during the pandemic.
The investigation into CoreFour highlights the importance of implementing information security and privacy management frameworks that will keep pace with organizational growth, to adequately protect personal information and meet legislative requirements.
The Office of the Information and Privacy Commissioner of Ontario (IPC) conducted a related investigation under Ontario’s Municipal Freedom of Information and Protection of Privacy Act into a complaint against a school board using the Edsby application to manage student attendance.
Report a problem or mistake on this page
- Date modified: