You never know where a hacker might appear. Digital forensics specialists report that a teenager managed to infiltrate the systems of a high school in the suburbs of Maryland, US, to extract personal information, academic registers, and SAT test scores from more than 1300 students.
In a statement, Montgomery County revealed that
the young man had accessed and downloaded the compromised data last October 3rd
by accessing Naviance, an online software used by students at Wheaton High
School and other schools in the district to prepare some matters on their
college life.
According to the county’s digital forensics
specialists, the student developed an algorithm capable of testing multiple
combinations of usernames and passwords to access the online system, a kind of brute
force attack. As a minor, the identity of the hacker has not been
revealed.
In this regard, Hobsons, the company
responsible for the Naviance system, issued a statement mentioning that
“immediate action was taken to contain and mitigate the impact of the
intrusion.” The company also claims that it notified all public schools in
the county and is working with those involved to ensure the integrity of the
rest of Naviance’s accounts. “The security of the students’ information in
these schools is one of our main obligations and responsibilities,” the
company’s website says.
Derek Turner, a spokesman for the Montgomery
School District, mentioned that in addition to the disciplinary action imposed
by school authorities, the student responsible for the intrusion could face
criminal charges. Due to the incident, Naviance had to reset the passwords of
all the students in the county.
In total, the accounts of 1,343 students and
one parent were affected by the incident. Exposed records include data such as:
- Full
names - Contact
details - Ethnicity
- Gender
- Standardized
test (such as SAT) scores and school grade averages
The Maryland school system claims that
students’ financial information and social security numbers were not
compromised.
Hobsons’ digital forensics experts mention that
the intrusion would have occurred around 8 p.m. on October 3rd. Just hours
later, Naviance staff detected suspicious activity and blocked the source IP.
That same night Hobsons reset the passwords of all users in the county and
notified the potentially affected schools.
Local authorities and the affected school began
an investigation to find the person responsible, who was identified a few days
later in possession of some devices possibly used during the intrusion.
Authorities believe the extracted information could have been shared with at
least two other students.
According to the digital forensics specialists
from the International Institute of Cyber Security (IICS), everything indicated
that the teen planned to modify his school grades. However, it is still clear
whether the student accessed this pre-university system incidentally or if he
acted intentionally by seeking personal details about his classmates.
