One of the nation’s largest online assessment providers, Questar Assessment Inc., experienced a potential cyberattack this week that affected at least seven statewide K-12 assessments across the country — and state officials have more questions than answers as some districts struggle to recover.
On Tuesday, what officials called a “deliberate attack” affected tests in seven states that Questar is contracted with, including South Dakota, Mississippi, New York, Missouri and Tennessee. Two other states were not as “negatively affected,” said Questar COO Brad Baumgartner, who testified in front of Tennessee lawmakers on Wednesday in a special hearing dedicated to the testing woes.
“It appears Questar’s data center may have experienced a deliberate attack this morning based on the way traffic is presenting itself,” Tennessee Education Commissioner Candice McQueen said in an email announcing the incident Tuesday.
Baumgartner said the company immediately shut down its online test-taking system and followed proper protocol, and that it is launching an internal investigation. Questar, which is owned by the New Jersey-based Educational Testing Service but headquartered in Minnesota, has also received inquiries from the Minnesota Bureau of Investigation.
McQueen does not believe that student data was breached. Questar did not provide details about the technical nature of the incident.
“There is absolutely no evidence that student data or information has been compromised,” she wrote in an update to school directors on Tuesday. “We believe the testing program performed as designed to mask and protect student information. Again, the software is designed to save students’ work, so if their testing session was disrupted, they can resume and submit their answers.”
In Tennessee, following Wednesday’s hearing, McQueen called for the Tennessee Bureau of Investigation and the State Office of Homeland Security to investigate. She also said she plans to engage a third party to analyze Questar’s response to the incident, the Tennesseean newspaper reported. The Mississippi Department of Education has also contacted Questar to inquire about Tuesday’s events, which delayed testing for about an hour.
In a separate incident last Wednesday, April 13, Questar experienced internet problems that the New York Board of Regents’ Chancellor Betty Rosa and State Education Commissioner Maryellen Elia dubbed an “unacceptable failure” for the state’s testing platform. They’ve directed Questar to provide a root-cause analysis of the technical problem, and the New York State United Teachers union has called for an end to statewide online assessments this week until they’re confident no more problems will arise.
In an email sent to the Democrat & Chronicle, Baumgartner said Tuesday’s delay presented “a data pattern presented itself that was not consistent with anything we have experienced prior,” but did not call it a cyberattack. The company flew out 10 employees earlier last week, according to Baumgartner, to ensure that the rest of testing went smoothly, which appears not to have been effective.
South Dakota and Missouri have not commented on the delays that Baumgartner referenced on Wednesday.
Questar Assessment Inc. currently has contracts to provide standardized testing for 12 states, according to its website. In January, both New York and Mississippi had student data stolen in data breaches that targeted Questar.