1.4 million student Social Security numbers found unencrypted in Maryland

A recent audit found the state's Education Department was storing sensitive personal data in plaintext format and not updating its software.
social security numbers
Getty Images

A recent audit has revealed that the Maryland Department of Education “inappropriately” stored personal information of more than 1.4 million students and more than 230,000 teachers.

The report published by the Maryland General Assembly’s audit office last week found that the education department stored personally identifiable information in databases and applications in plaintext format, leaving it more susceptible to interception by bad actors. The audit also found that the department had not instated “sufficient” malware protection, nor did it ensure that critical systems managed by third parties were protected against security risks.

“Specifically, we found critical servers running on outdated and no longer supported operating systems and a number of computers had not been updated with the latest releases for software products that were known to have significant security-related vulnerabilities,” the report states.

The audit found some of the department’s software hasn’t been updated since 2008.


The state’s Education Department, which in 2017 spent $7.7 billion, manages information technology systems housing student data that includes Social Security numbers, along with names of students and teachers. The auditor found that this information was not encrypted, despite the office’s recommendation to remediate this issue in its previous audit in March.

All state agencies in Maryland are legally required to encrypt sensitive data.

In a response to the audit, the education department agreed with the auditor’s recommendations to inventory its systems, delete all unneeded sensitive data, and to encrypt the sensitive data that remains. The department says its IT division is now working with the Maryland Department of Information Technology to complete these tasks by September 30.

Data left unencrypted on state and local government or school district servers has in many cases made its way into the hands of bad actors, who can infiltrate computer systems via a compromised email account or weak security on various educational software platforms. While all organizations are vulnerable to cyberattacks, the U.S. education sector ranked last out of 17 sectors for its cybersecurity capabilities, according to a report published last December by a New York-based cybersecurity research firm.

Latest Podcasts