By Frederick Lane ~ 6 January 2023

This C4E Digest is 1,347 words, or approximately a 6-minute read.

💾 Above the Fold: Another Massive Student Data Breach

Clouds and a Starry Sky [Frederick Lane, 2022]
Clouds and a Starry Sky [Frederick Lane, 2022]

Cloud storage is wonderful ... except when it isn't. A research team at vpnMentor, an online privacy firm, recently discovered that education publisher McGraw Hill exposed the personal data of more than 100,000 students.

  • McGraw Hill stored the data in Amazon Web Services S3 buckets, a widely-popular type of cloud storage.
  • Unfortunately, McGraw Hill misconfigured the settings of its data buckets, allowing anyone with a web browser access to more then 22 terabytes of student data and teaching materials.
  • The misconfiguration may have allowed access as early as 2015.

Slow response: In its report, vpnMentor said that it contacted McGraw Hill multiple times about the security breach before the company responded.

Implications: A possible seven-year leak of confidential student and teacher information raises a number of security concerns.

  • vpnMentor "saw the online records contained very sensitive information such as students' names, email addresses, performance reports and grades. The two buckets also contained teachers' syllabi and course reading materials, and even some very sensitive stuff belonging to McGraw Hill itself including private digital keys and source code." -- Alfonso Murricia, TechSpot

McGraw Hill spokesperson Tyler Reed said that the company fixed the problem by mid-summer 2022.

  • "McGraw Hill takes cybersecurity extremely seriously and has in place processes to identify potentially exposed data and quickly respond. This summer, as part of our routine testing processes, we became aware of files that were not properly secured, some of which included personal information. Following our internal incident response procedures, we removed the identified files. We are currently investigating this issue." -- Tyler Reed, email to Best Colleges

Read More:

Cybertraps #145 — Virtual Life vs Real Life with Cassie Trueblood

🧱 2. The State of K-12 Cybersecurity: Not Great

Two recently-released reports underscore the ongoing risk to k-12 schools from a range of cybersecurity threats, including unauthorized access, data loss, ransomware, and malware.

Emisoft, a New Zealand-based cybersecurity software firm, opened the new year by publishing "The State of Ransomware in the US: Report and Statistics 2022."

  • 45 school districts and 1,981 schools were affected by ransomware in 2022, with 65% of the schools suffering data exfiltration.
  • The biggest target was the Los Angeles Unified School District, which alone accounted for more than 1,300 of the affected schools.
  • The number of affected schools is almost certainly undercounted, as there is no reporting requirement and many districts actively avoid disclosing that they have been attacked.

Clever, a national edtech platform for digital learning, announced the results of a new cybersecurity survey of school administrators and teachers.

  • Two-thirds of K12 administrators believe that a cyberattack is very or somewhat likely in 2023.
  • Teachers view students as the biggest cybersecurity threat to schools; administrators think that teachers are the biggest risk.
  • There is overwhelming support at all levels of K12 administration and staff for more cybersecurity training.

⚖️ 3. UT Abuse Lawsuit Alleges District Policy Failures

This could get expensive: The 2017 arrest of Drew Tutt, a teacher at Mound Fort Junior High School in Ogden, UT, has drawn the Ogden School District into a rapidly-expanding and potentially expensive lawsuit.

  • Tutt plead guilty in 2018 "to two charges of third-degree felony sexual abuse of a minor student." He served three years of a five-year sentence.
  • The victims were groomed by Tutt on social media and SMS during late-night chats. At least two were sexually assaulted by Tutt.

A lawsuit was filed in 2020 by the two assault victims. They alleged that the Ogden School District failed to protect them from Tutt.

  • One victim alleged that the District failed to take action after the girl's mother filed a formal complaint that Tutt was contacting her daughter late at night.
  • The other victim alleges that the District was aware of Tutt's inappropriate communication and failed to take action.

The Risks of Discovery: In the course of the litigation, plaintiffs uncovered several other instances of students being groomed on social media and then sexually assaulted prior to the Tutt case.

  • The deposition of the District's human resources director revealed that despite those cases, the District made no changes to its policies or training regarding teacher-student interactions prior to the assaults by Tutt.
  • U.S. Magistrate Judge Daphne Oberg allowed plaintiffs to expand their lawsuit to allege a pattern of conduct by the District that violated federal Title IX.

Read More:

Want to reduce the chances that your district or educators will show up in a future edition of The Cybertraps Newsletter? Schedule some timely, informative professional development by contacting me at

👩‍💻 4. NJ Mandates Digital Literacy for Students

New Jersey became the first state to mandate classes in digital literacy for K-12 students.

  • "Advocates say the measure will help students who are bombarded with information from social media and news outlets learn how to discern whether the sources are credible. Media literacy will be required at every grade level." -- Melanie Burney, The Philadelphia Inquirer.

The new law received enthusiastic support from both parties in the state legislature, from the New Jersey Association of State Librarians, and from New Jersey Education Association.

  • "At a time when misinformation and disinformation are eroding the foundations of that democracy, it is imperative that students have the tools they need to determine what information they can trust." -- Sean M. Spiller, president of the NJEA.

The law takes effect immediately and requires the state Dept. of Education to implement digital literacy standards.

  • The standards will include "researching, using critical thinking skills, and learning the difference between facts and opinions and primary and secondary sources."
  • Standards for "information learning, including digital, visual, media, textual, and technological literacy" will be developed by groups of teachers, librarians, and media specialists.
  • Public hearings will be held before the standards are adopted.

Read More:

👗 5. Have You Been Dress-Coded?

A Delaware student teacher named Alison Mutarelli, 21, used her TikTok account to solicit advice on her clothing choices after being "dress coded" – short-hand for receiving a reprimand for inappropriate clothing.

Battles over student clothing are common and often raise difficult issues regarding race, gender, and cultural mores. Thanks to the rise of smartphones and social media, teachers (particularly women) are under increasingly strict scrutiny as well.

What social media taketh away, it also giveth. Educators, parents, and students who are upset about school clothing codes (and their enforcement) can now, like Mutarelli, plead their case to a worldwide audience.


i feel like @Mei Mei #studentteaching #teachertok #BBPlayDate #ShowYourJOWO

♬ original sound - Alison Mutarelli

Read More:

📧 Have a great weekend, everyone! If you have questions, story ideas, or other suggestions, please email me: