Cyber Incident Victim: Questar Assessment
Date:
Apr 2018
Location:
United States of America
Summary
A suspected cyber attack disrupted online state-mandated assessment testing administered by Questar, impacting multiple school systems including Greene County Schools. Testing experienced interruptions over two days, though students ultimately completed exams. The incident potentially affected seven states—Tennessee, New York, South Dakota, Mississippi, and Missouri among them—with two states reporting less severe disruptions. This followed an earlier breach involving the same vendor that compromised schools in Mississippi and New York. Authorities emphasized the need for a thorough investigation to determine the cause and prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2018, Greene County Schools in Tennessee experienced disruptions during state-mandated TN Ready assessments due to a suspected cyber attack targeting Questar Assessment, the vendor responsible for administering online testing. Testing interruptions occurred on Monday and Tuesday of the week beginning April 16, affecting some students' ability to complete exams initially. District data supervisor Julia Lamons confirmed that despite these technical issues, testing ultimately continued and all students completed their assessments. The incident prompted an investigation into whether Questar's systems had been compromised, though no definitive attribution or attack method was disclosed publicly. This event followed a previously reported data breach involving Questar earlier in 2018 that impacted educational institutions in Mississippi and New York, raising concerns about systemic vulnerabilities in the testing platform. Initial reports focused on Tennessee's disruptions before evidence revealed wider implications across multiple jurisdictions.
Subsequent updates indicated the incident affected online testing operations in seven U.S. states, with confirmed impacts in New York, South Dakota, Mississippi, and Missouri. Two additional unnamed states experienced less severe disruptions described as not "negatively affected." The multi-state scope demonstrated the incident's broad consequences for standardized testing schedules, though specific details about compromised systems or data exfiltration remained undisclosed. No quantitative estimates of affected students or schools were provided across jurisdictions. Educational authorities emphasized the continuation of testing despite technical challenges, while cybersecurity analysts called for comprehensive investigations into Questar's infrastructure security measures to prevent recurrence. The vendor's role as a centralized testing platform provider amplified the operational impact across dependent state education systems during critical assessment periods.