Cyber Incident Victim: Questar Assessment
Date:
Jan 2018
Location:
United States of America
Summary
A data breach at a state testing contractor allowed unauthorized access to information for 52 students who took computer-administered exams, compromising names, state identification numbers, school details, grade levels, and teacher names. The incident, attributed to a former employee, affected five schools and prompted the state education department to mandate password resets, closure of inactive accounts, a security prevention plan, an independent audit, and referral to law enforcement. While most computer-based test-takers were unaffected, the contractor acknowledged additional impacted students in another unspecified state. The company, recently acquired by a larger educational entity, cooperated with investigators amid scrutiny of its multi-year contract to develop and administer standardized assessments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 18, 2018, the New York State Education Department disclosed a data breach at Questar Assessment, the company responsible for developing and administering the state’s third-through-eighth grade reading and math tests. An unauthorized user, believed by Questar to be a former employee, accessed sensitive information pertaining to 52 students who had taken computerized assessments during the previous spring testing window. The compromised data included students’ full names, New York State Student Identification numbers, school names, grade levels, and associated teacher names. These 52 students represented five geographically dispersed schools across New York State, though approximately 88,000 students statewide had participated in computer-based testing that year, including field tests used to evaluate new questions. The breach was detected and reported by Questar to state authorities, prompting immediate containment measures.
In response, the New York State Education Department mandated that Questar reset passwords for all user accounts and deactivate credentials belonging to former employees, actions the company completed promptly. The department further required Questar to submit a comprehensive plan outlining enhanced security protocols to prevent future incidents and commissioned an independent audit of the company’s systems and policies. State officials referred the matter to the New York Attorney General’s office, which initiated a formal investigation. Education Commissioner MaryEllen Elia confirmed that students in at least one other unspecified state were also impacted, though no additional details regarding that exposure were provided. Questar’s Chief Operating Officer, Brad M. Baumgartner, acknowledged the breach involved a “very minor amount of data” but emphasized that any unauthorized access was unacceptable, pledging full cooperation with investigators. The incident occurred amid Questar’s five-year, $44 million contract with New York, awarded in 2015 after the state transitioned from its prior vendor, Pearson. Questar had recently been acquired by Educational Testing Service (ETS) prior to the breach.