Cybersecurity at TAS: how safe are TAS accounts?

The+TAS+IT+Department+consists+of+2+administrators%2C+5+data+team+members%2C+4+operations+team+members%2C+3+AV+team+members%2C+2+network+team+members%2C+3+helpdesk+members+and+their+department+office+manager.

The TAS IT Department consists of 2 administrators, 5 data team members, 4 operations team members, 3 AV team members, 2 network team members, 3 helpdesk members and their department office manager.

Taipei American School (TAS) students and faculty have been receiving pop-ups on their Google browsers since the start of the 2022-23 academic year, requesting that the user indicate that they are not a “robot.” 

Former Information Technology (IT) Director Mr. Dan Hudkins speculates that, with limited Internet Protocol (IP) addresses that handle information across a network, a TAS Google user has become a part of a Botnet, a network of private computers infected with malicious software.

Google has a policy of verifying sources that indicate an unusual amount of traffic from that same source, said Mr. Hudkins, who continues to oversee the IT Department before leaving Taiwan on Sept. 30. 

As the IT Department continues to work with Google, the case remains under investigation. 

Beyond external threats to TAS’s internet safety, TAS-affiliated accounts are subject to privacy, confidentiality and cybersecurity risks. With over 1,800 students on TAS accounts, students have entrusted much of their academic and private lives to their school accounts, which include Microsoft, Google, PowerSchool, Canvas and other external platforms. 

“You have a very reasonable expectation of privacy,” Mr. Hudkins said. “But you have zero expectation of confidentiality.”

Different employees in the school, however, have different permissions to access data in different systems, current IT Director Mr. Samuel Quek said. For instance, registrars would require access to student schedules, principals would have access to all student and teacher accounts in Canvas and educational technology teachers would likewise have access to student accounts in Clever, Seesaw and Canvas. 

The IT Department has employed several projects to review security posture, requiring employees who have access to sensitive student data to use Multi-Factor Authentication, a data security method in which a user must present a combination of two or more credentials before logging in, according to Mr. Quek. 

Another strategy adopted, Data Minimization, aims to collect minimal data. “You can’t lose what you don’t have,” Mr. Quek said. 

For Grades 10 to 12, Mobile Application Management (MAM) allows the IT Department to make compliance rules indicating regulations for distributing applications. Applications include anything provided in the Adobe Creative Cloud. For instance, MAM allows the IT Department to check if there are security patches and whether the operating system is currently up to date. 

MAM is done to ensure that each application functions without the potential of malwares that often come with external applications. Serving as the operators of these applications, including Adobe Creative Cloud, the IT Department has full access to information and data across these applications. 

In each instance of oversight by the IT Department, data on TAS accounts belongs to the organization that owns it all: TAS.

“Generally, we follow a password policy that is complex enough to keep our accounts secure and private,” said Mr. Jason Kiang, who is the upper school electronic systems info specialist. 

Ultimately, like many other work or school accounts, data entrusted on those platforms is merely private, not confidential.