State Education Commissioner MaryEllen Elia is seen in Woodbury on...

State Education Commissioner MaryEllen Elia is seen in Woodbury on Tuesday, Nov. 7, 2017. Credit: Howard Schnapp

An unauthorized user accessed personal information of 31 Nassau students and 21 others statewide who took a computer-based exam last spring administered by a Minnesota-based testing firm, company and state education officials said Thursday.

The state Attorney General’s office has opened an investigation into the data breach that occurred after Questar Assessment Inc. of Apple Valley, Minnesota, administered the statewide test to elementary and middle school students, officials said.

Questar administers New York State standardized tests in English Language Arts and mathematics for elementary and middle school students in grades three through eight.

The data breach was confined to five schools and 52 students, including 21 at John F. Kennedy School Elementary School in Great Neck and 10 more at the Oceanside school district’s School #2, state officials said.

Students’ names, grade levels, teachers, schools, and their education department identification numbers were viewed in the data breach, said New York State Education Commissioner MaryEllen Elia during an afternoon conference call with reporters. However, Social Security numbers and addresses were not accessed, she said.

“This represents a fraction of one percent of the students who were registered for the computer-based testing in the spring of 2017,” Elia said. “Any data breach is unacceptable, particularly when we’re talking about children’s information.”

She added that while “this is not something that should put off a red flag for any parent about safety of a child,” parents need to be informed of the specifics of the breach, and that the department was “taking steps to hold Questar accountable.”

Elia’s office has demanded that Questar hire an independent third party to conduct a security audit of the company’s protocols and submit those results to the education department by Feb. 20. A corrective action plan, detailing steps taken to remedy the matter and ensure that such a breach doesn’t occur again, is due Jan. 26.

Amy Spitalnick, press secretary for State Attorney General Eric Schneiderman, said, “Families deserve to know that their children’s information is safe. We’ve opened an investigation into the Questar data breach.”

In a statement, Questar officials said they intend to cooperate with New York State education officials and implement any recommended changes to prevent another data breach.

“Questar has recently become aware that an unknown person made unauthorized access to Questar systems and to data in our care,” the statement said. “Even though access was to a very minor amount of data any unauthorized access to data is unacceptable. Questar took immediate action to address the unauthorized access.”

Oceanside Superintendent Phyllis Harrington said in an email that the breach affected sixth graders and praised Elia’s office for acting “swiftly.”

“This is an unfortunate situation, and of course we are disappointed that such an occurrence took place,” she said. “At the local level, our district will make a contact to each family directly once we are given specific names of those affected.”

Officials with the Great Neck school district could not immediately be reached for comment.

Latest videos