After some trials in March of 2016, EQAO scheduled a large scale trial of The Ontario Secondary School Literacy Test (OSSLT) on October 20th and was set to accommodate up to 250,00 students in two sittings. It was a no-lose proposition for any students that chose to write it, because if they passed the online version they could avoid writing the test in its regular pencil and paper version in March, 2017. If they failed, they could still write it again later.

The day before EQAO was confident they were prepared for any potential technical issues:

But even as EQAO was wishing students good luck it became obvious they weren’t as prepared as they’d previously thought:

EQAO remained confident that this was a minor problem even though teachers assured them that it was anything but minor:

After an hour’s delay EQAO continued to insist that students wait in the assessment rooms:

It took almost 3 hours before EQAO announced (on social media) that they were cancelling the test:

At 6:23 pm on October 20th EQAO released an official statement apologizing for the cancellation, saying they didn’t know what had happened and would be investigating the cause. Over ten hours since they’d known there was a problem and EQAO still hadn’t figured out what happened.

There was no further comment from EQAO for four days, but On October 24th they announced that the test had been cancelled due to “…an intentional, malicious and sustained” type of cyberattack, a Distributed Denial of Service (DDoS) attack. Coincidentally, this was the same type of attack that took out large parts of the internet in Europe and North America on October 21st.

Since then the students and educators involved, and the province in general, have been trying to figure out exactly what happened. Education Minister Mitzie Hunter called it “extremely disappointing” and Education Critic Lisa Gretzky wondered about the costs of the failed test:

Around all this discussion is a sense of uneasiness. A feeling that we don’t have the full story about what really happened. There are so many unanswered questions.

For example:

Why did the EQAO attack last so long and take so long to identify?

The EQAO Attack lasted three hours and 10 hours later it still hadn’t been identified as a DDoS attack. By comparison the massive Dyn Attack was identified almost immediately, the public was notified right away, and it was resolved in a little over two hours. Why did it take EQAO so long?

Who investigated ?

Apparently “IT experts and a third-party forensic team spent the weekend trying to figure out what happened” but who exactly did the investigation remains a mystery. Why? When tax dollars are being used why isn’t there full and transparent disclosure?

What successful trials?

Before and after October 20th EQAO mentioned repeatedly that they had conducted “several successful tests” of the OSSLT platform. However, some of the teachers involved in those tests dispute that they were “successful”, and said that the same issues that shut down the OSSLT on October 20th were present in the March tests.

Was the testing platform stable?

The online platform that EQAO was using for the OSSLT is called Measurement Incorporated Secure Testing (MIST), sold by Measurement Incorporated, a company based in North Carolina that “provides achievement tests and scoring services for state governments, other testing companies, and various organizations”.

The same platform had problems in February, 2016 when used for school testing in Tennessee that seem awfully similar to what happened in Ontario on October 20th.

There are also many implications for EQAO moving forward:

  • While the test was eventually cancelled some students were able to complete the online test (why??). Will those completed tests still be marked? If they aren’t, isn’t that unfair to those students who persevered?
  • EQAO stores millions pieces of data on students from eight years of age and older. Given what happened on October 20th, how can Ontario parents remain confident that personal information about their children will remain private when testing becomes online?
  • Will we ever know what happened? Richard Jones, director of assessment for EQAO said “I’m not sure if this kind of thing can ever be figured out,” which won’t fill anyone with confidence.
  • Should EQAO have been better prepared for what happened. Cyber security lawyer Imran Ahmad thinks so:

screen-shot-2016-10-25-at-1-46-47-pm

Ontarians should know what happened, why it happened and what EQAO is doing to prevent it from ever happening again. Our students and families deserve that. A confused shrug from Richard Jones isn’t good enough.