The Courier & Advertiser (Angus and Dundee)
Pupils reset passwords after Glow breach
Log-ins to social networking tool scrapped as app vulnerable to abuse
Education Scotland is facing “very difficult questions” after being forced to order a hard reset of all passwords across its national digital learning platform following a major security breach.
An email distributed to head teachers and seen by The Courier has revealed how management called for all log-ins to be scrapped after it emerged children had been encouraged in schools to share credentials with their parents.
It means unauthorised users could have gained access to applications such as Yammer, a social networking tool that allows every school child in Scotland – and by extension anyone with access to their log-in details – to privately send messages to one another.
The service, which is hosted on the Glow learning platform, also allows users, regardless of whether they go to the same school, to view each other’s full name, school, interests, friends and email address.
Access to the app was locked down temporarily after an investigation by The Courier revealed how the Scottish Government’s own impact report had concluded it was vulnerable to individuals looking to find children and “do them harm”.
Education Secretary John Swinney claimed last week the service was “closed to the general public” and had only ever been accessible to pupils and educators.
However, it has now emerged that was not the case.
In some instances, children as young as five were sent home with strips of paper containing log-in details to give to their parents.
The Scottish Government’s own Parentzone website advised as recently as June 10 that the service could be accessed using the pupil’s username and password, “and parents can access their child’s and school’s Glow pages by using the same information”.
The information has since been removed.
Educators were made aware of the need to reset all credentials on the system late last week but it is understood families have still not been warned of the potential security breach.
Iain Gray, Scottish Labour education spokesman, said it was the latest in a series of “very worrying internet safety blunders” by the Scottish Government.
“John Swinney said last week that the Yammer app was closed to the general public, but it now emerges that potentially thousands of adults had access to the site and were able to send private messages to schoolchildren,” he said.
Tory education spokeswoman Liz Smith said it was a “glaring failure” that will “cause huge concern to parents”.
She added: “The SNP government and Education Scotland have got themselves into a huge mess with this, and have some very difficult questions to answer.”
Andy Burrows, NSPCC associate head of child safety online, said there were “clear safeguarding issues” around Yammer’s adoption by education bosses.
He added: “It’s vital that the Scottish Government and Education Scotland look at the risks involved in giving children access to this app to ensure that they are not putting themselves in danger, and that safeguarding risks have been resolved.”
An Education Scotland spokesman said: “When we were made aware of erroneous advice in relation to use of accounts by parents it was decided, with local authorities, to refresh existing passwords for students using Glow.
“Steps have also been taken to ensure local authorities’ websites are providing the right advice locally.
“As Education Scotland does not hold the contact details of parents, informing them of the decision to reset passwords for students using Glow has to be an action for the relevant local authority.
“Education Scotland provides reactive moderation of all Glow services, including Yammer, via the ‘report a concern’ button. This flags content for review by ES staff on a case-by-case basis. It is important to note that the content reported may not ultimately be inappropriate.
“We also monitor Glow for inappropriate words, the list of which is constantly being updated, and we are exploring further options and tools which will enhance and strengthen moderation facilities as part of the ongoing review of Yammer.
“We are working closely with local authorities to ensure these issues are addressed and the service will not be reactivated for pupils until the deputy first minister is fully satisfied that they have been resolved.”
dhealey@thecourier.co.uk