Across the country this past school year, students improperly accessed student-information systems, online learning programs, and college-counseling software in at least 10 states. The primary motivation was to change grades. These hacks typically involved students finding a teacher's password or login credentials.
These hacking incidents reflect an ongoing fundamental failure by schools and districts to take even the most basic measures to protect their networks. As I’ve said in previous blog posts, one of the biggest challenges facing school districts is not so much the technology (although we recommend enterprise solutions like iboss), as it is the people.
As we prepare for the thousands of students that will be traversing schools networks, here are just a few reminders:
- Train staff on good password practices: No sticky notes. Use long, complex passwords. Don’t repeat passwords across platforms. Consider password-management software
- Require two-factor authentication: Even if a hacker obtains a password, he or she won’t be able to access accounts and networks without a second piece of information, such as a code sent to the legitimate user’s mobile device
- Be vigilant about ensuring role-based access to information: No one associated with a school should have access to more information than they need to do their job
- Patch software as often as possible: some of the more sophisticated hackers seek to exploit vulnerabilities in software, which can be prevented by making sure programs are updated and patched regularly
- Incorporate other critical cybersecurity technologies, including malware detection and Data Loss Prevention. More info can be found on DLP technology is available here.
Below are few recent examples of hacking incidents that occurred around the United States this past school year. These incidents are not isolated—I hear countless stories as I travel across the country, which only reinforces my belief in the work we are doing here at iboss: providing enterprise cybersecurity solutions tuned to protect our nation’s districts and students everywhere!
East Brewton, Ala.
Last month, Alabama Attorney General Steve Marshall announced the arrests of a student and teacher in the 4,500-student Escambia County district, charging them with the felony of computer tampering for allegedly altering grades at W.S. Neal High School.
Local news reports alleged the student improperly accessed a school computer system, a student-information and data-management system. A Special education teacher was also arrested and charged with a felony in connection with the incident. According to WEARTV.com, school officials noticed discrepancies in the grades of a number of students, prompting the district to delay its announcement of top student performers.
A sixteen-year-old student told California's ABC13 Eyewitness News that a grade-changing scheme he executed was "like stealing candy from a baby."
According to local television station KTVU, the sophomore at the Mount Diablo district, executed a relatively sophisticated hack. He reportedly created a fake website that mirrored his district's actual website, then sent a "phishing" email out to teachers in the hope that someone would use his or her actual login and password to access his site.
Mount Diablo staff are "routinely advised against opening suspected phishing or spam messages," a district spokeswoman said. Still, a teacher took the bait, allowing the student to access the school's computer system in order to change the grades of roughly a dozen students.
A senior allegedly breached the school's student-information-management system and a software program used to submit college applications and transcripts, apparently because he felt pressure to improve his profile for Ivy League universities.
The school launched an investigation after a guidance counselor noticed the student's grades had been altered, according to NorthJersey.com. The student was suspended, and his college applications were rescinded. The local board of education filed two criminal charges against the student, according to the news outlet.
Officials in the 14,000-student Gadsden school district notified parents that 55 students allegedly took part in a grade-changing scheme involving an online course. The students apparently logged into a teacher account and accessed an online course provider and grading platform and changed a total of 456 grades.
Five students were suspended, and the remainder will have to redo their work in the courses in which grades were changed in order to receive credit. Twenty-nine seniors were not eligible to graduate on time as a result of the incident.
The hack came to light because the system that they breached logs and time-stamps all activities undertaken on each account. but the incident could have been avoided altogether with better password practices.
So, as we begin the new school year it is critical that we take the time and effort to embrace effective cybersecurity solutions and establish, modify, and enforce effective policies and practices, including educating both teachers and students on the everyday risks of the connected world.
Ref: Education Week, August 1, 2018
Richard Quinones has spent over 20 years taking on important IT leadership roles at the county, state and national levels. His past experience includes being appointed Los Angeles County’s first chief education technology officer, where he led the delivery of IT services across 80 school districts and five community colleges. He was also appointed senior IT advisor to the National Advisory Council on Education Technology (NACET), and commissioned to advance the roll-out of the U.S. President’s National Public Schools Broadband Initiative. He has also served as senior technology advisor to Los Angeles Unified School District officials, including the office of the chief information officer, and chief executive officer of strategic planning and digital innovation. Richard holds a master’s degree in public administration with an emphasis in e-government from University of La Verne.