Advertisement

Online testing firm agrees to security audit after inquiry from senator

It’s another case of privacy and security risks emerging in technology that is key to adapting to the coronavirus pandemic.
Wyden on Capitol Hill
Sen. Ron Wyden, D-Ore., at a Feb. 24 hearing of the Senate Committee on Energy and Natural Resources. Wyden asked online-testing firm ProctorU to bolster its cybersecurity. (Photo by Leigh Vogel-Pool/Getty Images)

A company whose software has been widely used to administer law school entrance exams during the coronavirus pandemic has agreed to an independent audit of the software after a U.S. senator raised cybersecurity concerns about the product.

Alabama-based ProctorU’s web-browser extension software has allowed people across the U.S. to take the LSAT exam from home during the pandemic. But Sen. Ron Wyden, D-Ore., worried that that same accessibility, if left unsecured, could give cybercriminals a foothold onto test-takers’ devices.

And so, after inquiries from Wyden, ProctorU has hired outside security experts to review its software and the tool it uses for remote troubleshooting, according to the Law School Admissions Council (LSAC), which administers the LSAT. More than 145,000 LSAT exams were administered online from May 2020 to February 2021, and ProctorU appears to be the main contractor for doing so.

It’s another case of privacy and security risks emerging in technology that is key to adapting to the COVID-19 era, echoing the vulnerabilities that researchers have found in contact-tracing applications.

Advertisement

ProctorU is one of multiple companies that use web cameras, facial recognition and human proctors to monitor test-takers for signs of cheating. Some test-takers have complained that the software tools exhibit racial bias or are insensitive to people with disabilities, charges the companies say they take seriously.  

Browser extensions — software that a user can add to browsers like Chrome and Safari to give them custom features — are sometimes vessels for fraud. In a case unrelated to ProctorU, Microsoft found that hackers were hijacking popular browsers to gin up web traffic in a scam that at one point affected 30,000 devices a day.

The LSAC said it has not received any complaints from test-takers that the ProctorU software accessed inappropriate data or exposed their computers to hacking.

Still, ProctorU’s audit will reassure test-takers that the company is taking “the necessary security measures” to protect their data, LSAC general counsel Leanne Shank wrote in a March 30 letter to Wyden’s office. The council will also try to negotiate contracts with vendors that do not absolve the vendor of any cybersecurity risks that come with the software, Shank said.

ProctorU was the victim of a large data breach that came to light last year, when someone on a hacking forum offered to sell some 444,000 records of personally identifiable information stolen from a ProctorU server. ProctorU confirmed the breach and said the data was from prior to 2015. The company also said it instituted heightened security measures after the breach.

Advertisement

Wyden told CyberScoop that the move to online testing made him concerned that students wouldn’t have a choice but to use software that hadn’t been independently vetted.

“While the pandemic has forced much of our education system online, that’s no excuse to sacrifice students’ right to privacy and security,” Wyden said. “I hope to see other testing groups following LSAC’s example.”

It is unclear which firm ProctorU hired to do the audit. ProctorU did not respond to requests for comment.

Test-taking is not the only facet of education whose exposure to cyberthreats has grown during the pandemic. Ransomware attacks on colleges doubled from 2019 to 2020 as institutions shifted to remote learning, according to a study from security firm BlueVoyant.

You can read the full letter from the LSAC to Wyden’s office online.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts