Data of hundreds of thousands of Dutch students sent unencrypted for years
Magister, the most widely used school administration software in The Netherlands, has been sending exam results and personal messages of students unencrypted over the internet for many years. They were informed repeatedly past 18 months about this issue but it was only fixed two weeks ago.
UPDATE: After publishing this blog I was interviewed by the Dutch newspaper Trouw and online news site NU.nl.
Let me first introduce the software involved. After that I'll explain the problem and my experience with reporting the issue to the vendor. Finally, at the end of the article, I try to give an estimate of the potential number of students affected.
About Magister
Magister is the most widely used software for school administration in The Netherlands. The system contains student data, exam results, an electronic learning environment, a messaging system and more. Part of it could be compared to Blackboard, but it has more features. The software is made by Schoolmaster, nowadays part of Iddink Group (a publisher).
Magister is an online application. It's always hosted by Schoolmaster itself. You access the software through an online website, RDP or a mobile app.
The leak
Like many online websites, Schoolmaster was smart enough to secure their websites with HTTPS years ago. This ensures that data cannot be intercepted. Unfortunately, the website is not the only way student data is communicated.
The school administration software has the option to send an e-mail when an exam result is updated. So, each time a teacher enters a new or updates an existing grade of a student, an email will be sent. This is a useful tool to combat fraud. Should a teachers account be hacked then the teacher will see email notifications about changes (s)he didn't make. For this reason, a lot of schools turn this feature on.
The problem is that Magister takes no effort to securely send these emails.
Here's a screenshot of an actual email that was intercepted by me:
I had to censor out the actual details, but the basic content of the message is that a student with name XYZ now has a grade of Z. Such an email is sent for each and every grade that is newly entered or updated.
So, while on one hand the website looks secure and data is encrypted, at least part of the sensitive data is leaked over an unencrypted channel, namely email.
How serious is this?
Are student grades sensitive data?
The GDPR is pretty strict about this. First of all, the people involved are kids and children are considered sensitive data subjects. They warrant additional protection. Then, as for the data itself, grades in this case, when exposed they could harm the person involved. Think of reputation: famous persons like our king, his children or a cabinet minister confronted with his/her weak grades when (s)he was at school. Think of commercial interests: a commercial party with information of grades of many students can "more easily" judge and reject people who apply for a job, a loan, etc.
In 2014, the Dutch House of Representatives was not pleased when it became clear that publishers shared student results with companies.
But it's only grades, right?
To make matters worse, it's not only grades that are sent unencrypted. The electronic learning environment also contains a messaging system for students and teachers. Everyone I know enables the account setting to Send an email when there is a new message. This means you get an email when a new message is in the electronic learning environment, including the content of the message. Such messages may contain anything, ranging from a harmless question about a science book to messages from students to teachers/mentors about their illness or problems at home. This data can be extremely sensitive.
The Dutch Data Protection Authority rightfully dictates that a Data Protection Impact Assessment (DPIA) must be conducted for school administration systems. All because of the sensitive nature of the data and persons involved.
Is it a realistic threat?
Someone with malicious intentions can gather all student grades by passive eavesdropping. To do this, the eavesdropper will have to be within the network path between the school email server and Schoolmaster. The best position would be central or close to Schoolmaster. That would enable one to capture mails to all schools, and possibly all student grades / communication. Now, massive eavesdropping isn't just theory. There are nation state programs such as PRISM that actively target and intend to intercept all internet traffic, using methods such as the (in)famous Belgacom hack. If done properly, the interception can be completely stealthy. Nobody will know or see that it is or was taking place.
Next-best option for some with malicious intentions would be to intercept data at individual routers at the school mail server. This would capture all unencrypted communication for that particular school. This too isn't fiction. New security issues are discovered in routers every month and security updates are often not installed by users. Two months ago, the FBI reported that Russians hacked hundreds of thousands of home and office routers. Trend Micro, an anti-virus software vendor, wrote a more detailed article about the malware, called VPNFilter. According to Trend Micro, the VPNFilter malware infected more than half a million routers worldwide and included code to intercept network traffic.
Fixing the leak
Is it really wise to send sensitive messages over email? I wrote an article about sending personal data by email earlier. My conclusion: do not send anything other than basic personal data (name, address) over email. At least configure STARTTLS and DANE at your email server so emails are sent encrypted when the receiver supports this. As stated in the article, Google statistics show that this would result in roughly 90% of the emails being sent encrypted. Unfortunately, Magister/Schoolmaster took no such effort. They never employed STARTTLS, they always sent all emails unencrypted.
Even better would be to omit the sensitive data from emails. You can still send an email about grades being updated: show the name and class but just don't show the actual grade. You can send an email about a new message being available, just don't include the actual message content in the email. This is what the Dutch Government uses for their MijnOverheid system (used for digital communication with its citizens): you receive an email notification that a new message is available. To see the actual message content you have to log in online to read it. Annoying? Yes, but also more secure.
Reporting the issue to the company
My attempts to report this issue to the company were far from smooth. This may be a bit dull to read, but I think it's worth sharing:
Attempt 1: December 11, 2016
I first noticed this problem while tracing an email problem 18 months ago. I immediately reported it to Schoolmaster. My original email is in Dutch but basically says: I suggest you to employ STARTTLS to encrypt emails, because right now the data travels unencrypted and this is something that could be interesting to intercept by a third party. I also pointed them to the Safer email initiative from Google.
I received no response.
Attempt 2: February 9, 2017
My colleague submitted the same problem using the official helpdesk ticket system. The only response she received was:
Thank you for submitting this suggestion. Suggestions are periodically looked at by our Product Development department. We will look at the technical feasibility and the general applicability. Should a suggestion be implemented then it will be listed in the release notes.
Attempt 3: April 19, 2018
After bringing the issue up at a meeting of our GDPR working group at the school I work for, it was suggested that I should contact Schoolmaster again. So, I sent another email. This time I no longer called it a suggestion but called the practice of sending sensitive personal data over unencrypted mail very unwise. I sent this email to the official "responsible disclosure" email address of Iddink Group, the parent company. To quote the first part of my email:
At the end of 2016 I sent a message explaining that emails from the school administration system are sent unencrypted. Unfortunately, nowadays in 2018, that is still the case. I think it is very unwise to send names of students and grades over the internet in plaintext (without any form of encryption). The same is true for messages from the Electronic Learning Environment (Dutch: ELO). The current data protection law requires "adequate security" for personal data and I doubt that is the case. With the upcoming GDPR I think you can be in serious trouble.
I received a short acknowledgment 4 days later:
Thank you for the message. We have informed the department involved, you can expect a more substantial reply later.
First substantial response: June 4, 2018
At this point I still hadn't received any substantial reply, even though their own website on responsible disclosure states:
What we promise: We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
So, on May 30, five weeks (!) after the 3rd (!) report I sent another email asking for a more elaborate response. Five days later I received a two-sentence response:
We are currently configuring a new SMTP server. The server is almost ready and shall soon be implemented. The points you highlighted will be addressed.
So, maybe a little short and late, but glad to hear they were working on a solution.
Follow-up response: June 14, 2018
Ten days later I received a longer and more serious response from their Information Security Officer. To quote part of it:
We are currently upgrading our mail servers to the latest standards. The guidelines from the Standardization Forum will be leading. I'll leave it up to the Operations department if STARTTLS is a suitable solution for the problem you reported to us. We strive to find a secure way to send email, according to the standards, in a way that works with our software.
I wrote about this earlier: The Standardization Forum (Dutch: Forum Standaardisatie) publishes guidelines on which standards must be implemented by (semi) public institutions. One of them is STARTTLS and DANE which help with encrypting email in transit.
The relevant standard has been mandatory for all (semi) public institutions since 2016. Even though Schoolmaster/Iddink is not a public institution, they are active in the educational sector. It's good they nowadays recognize that they should implement these standards. It would have been better if they had been more responsive and quicker to implement these standards, though.
Fixed?
While writing this article I was going through mail server logs and noticed the last unencrypted mail from Schoolmaster was delivered on August 1, 2018. The first encrypted mail was delivered on August 3. So, presumably, somewhere between these dates they started using STARTTLS to encrypt emails. I was not informed by Schoolmaster about this.
How many students are affected?
The exact market share of Magister is hard to find. The company itself claimed in 2014 at least 450 schools, and nowadays claims "at least 500" schools on their main website. Various news sites mention a market share of 70%.
The number of students in high schools in The Netherlands was 995,725 students in the year 2016-17 according to the official Dutch Statistics. If the 70% market share is true then this translates to slightly under 700,000 Dutch high school students that are potentially affected.
I don't know the actual number of schools and students affected. The reason for this is that sending an email on grade changes is a configurable option in the Magister software. I expect a lot of schools will have this turned on, but I do not know for sure, only Schoolmaster knows. Similarly, the sending of email on ELO messages is an account option every individual user can set. I expect that by far the majority of teachers have this feature turned on (every teacher I know does), but again, only Schoolmaster can give proper statistics on this.
Rationale
- While writing this article I was waiting for a notification that the issue was fixed, or at least partially mitigated by STARTTLS. Unfortunately, I did not receive such a message. It does seem, though, that STARTTLS got turned on at the beginning of this month.
- Emails between me and Schoolmaster were in Dutch. The quotes in this article were translated to English and sometimes shortened for readability. Should Schoolmaster/Iddink disagree with the translation (or request it) then I'm happy to publish all original Dutch emails back and forth to them on the subject from 2016 up to now.
- Should I have been more persistent when reporting the issue? In hindsight I probably should. Still, the issue was reported multiple times to them over multiple channels. At least the February 2017 case got a response from them. Judging from the lack of further action on their side I think we can safely say that fixing the issue was not a priority for them. I'm very grateful the GDPR came into force on May 2018, it seems to help a lot to get people's attention.