Data Breach Scenario Trainings
The Data Breach Scenario Trainings are a series of packaged trainings developed by the Privacy Technical Assistance Center, designed to help educational organizations at all levels conduct internal staff development on data breaches. Each scenario has been developed into a customizable training package, providing ready-to-use resources for the scenario leader(s) and participants. Within each scenario, participants break into teams to collaborate and develop two important products, messaging and an incident response plan outline.
Each scenario training consists of three parts:
- The Facilitator’s Guide leads users through the exercise, providing an explanation of its purpose, an outline of the activities and expected outcomes at each step, and suggestions for discussions along the way.
- The Presentation is provided for the leader’s use during the exercise, providing slides and talking points.
- The Handouts are notes to be provided to each team, updating changes to the scenario as it progresses. These notes are also found in the slides. The facilitator should decide whether both tools are needed and edit accordingly.
Password Data Breach Scenario
The Password Data Breach Scenario revolves around a common mistake, the failure to create strong passwords and protect them from compromise. A teacher has written down his login information to the new student information system on a sticky note and put it on his desk. While he is gone, a couple of students discover the note. They then use the teacher’s login to access the system after hours and change students’ grades. Additionally, since the teacher used the same password on other internal systems, the students also were able to access other systems with sensitive employee data, including Social Security numbers and other private information. The goal of the activity is to highlight for district management the need to properly plan for a data breach, and illustrate the processes, procedures, and skills needed to respond.
Malicious Software Infection Scenario
The Malicious Software Infection Scenario revolves around the inadvertent ransomware infection of an organization that hosts a statewide longitudinal data system (SLDS). Ransomware is a type of malicious software that, when it infects a system, encrypts the contents and data of the system, making the data inaccessible to the system owners. The software then demands payment in order to provide the victims with access to their data again.
In this case, the attack begins with two employees whose desktop computers become infected when browsing the internet. The ransomware then spreads itself to other systems within the organization, eventually impacting production systems and servers containing student data and other sensitive data types. Over the course of one to two hours, participants explore the scenario of a malicious ransomware incident affecting student information as well as other personally identifiable information (PII) from their organization.
Postsecondary Application Data Breach Scenario
The Postsecondary Application Data Breach Scenario revolves around the use of an enterprise application in a post-secondary institution. This application provides a platform for content and document creation, use, and management across the organization for both students and staff. This application is at the heart of how the school manages documents.
Application administrators recently applied an update to the application that addressed certain issues relating to permissions and searching for content within the application. The update silently reset permissions on files affected by the update to a default “world readable” state. Some of the affected documents contain sensitive data like social security numbers, names, addresses, and financial data.
Data Sharing Dual Enrollment Scenario
The Data Sharing Dual Enrollment Scenario revolves around a data sharing scenario between a school district and a postsecondary institution. In this scenario, dually enrolled students attend a local community college for credit, and the college provides the students’ transcripts and grade information back to the school district so that the students can receive credit. The district maintains a file transfer service that the community college uses to share student data from the college to the district.
A dually enrolled student is involved in a cyber bullying incident centering on alleged poor performance in the advanced college mathematics courses she is taking. Evidence is uncovered that grades may have been altered and that the incident of bullying may be related to the grade change.
AI-Generated Phishing & Deepfake Calls Scenario
The AI-Generated Phishing & Deepfake Calls Scenario is designed to help participants explore how artificial intelligence (AI) may be used to undermine trust in school district communications. In the middle of a busy fall semester, parents, staff, and students of the agency depend on official communications from the superintendent’s office, including robocalls, text alerts, and emails notifying of school closures, safety messages, and other official guidance. Over the past year, AI tools have become part of daily operations, including email functions and tools integrated into the student information system (SIS) – teachers, counselors, and administrators all use them regularly. Throughout this scenario, participants will find AI-generated phishing emails and deepfake phone calls threatening the credibility of the district.
AI Tutoring Platform Data Leak Scenario
The AI Tutoring Platform Data Leak Scenario explores the risks of a third-party, cloud-based AI tutoring platform that processes and stores sensitive student data. When the district adopted the program, results were immediate, grades improved, engagement soared, and the platform became the showcase for the district’s innovation agenda. Teachers, parents, and administrators appreciated its effectiveness on student achievement and communication. The platform became inseparable from daily instruction, with teachers utilizing adaptive pacing; students using it for test prep, essay feedback, and late-night homework help, and parents regularly consulting it for student assessment.
In the scenario, a data leak in the tutoring platform exposes education and personal information, sparking legal, ethical, and community concerns.
AI Grading System Compromise Scenario
This AI Grading System Compromise Scenario explores the risks of deploying AI-driven grading systems in a K-12 district that recently adopted an AI-powered grading assistant to save teachers’ time. Staff were impressed by how quickly the system returned scores and the quality of the system’s feedback on students’ work. Parents appreciated the faster grading and detailed comments. Confidence grew so strong that the superintendent approved full rollout across the district’s English and Social Studies departments.
Over time, some teachers notice unusual results: entire classes receiving high marks overnight, students who usually struggle receiving top grades, and falsified comments attached to student work. Public trust in the new system fractures, sparking questions about fairness and accuracy.