Law & Courts

Student Hackings Highlight Weak K-12 Cybersecurity

By Benjamin Herold — June 12, 2018 6 min read
  • Save to favorites
  • Print

A spate of incidents involving students hacking their schools’ networks and software programs is again highlighting the weak cybersecurity practices in K-12 education.

From California to New Jersey, teenagers have allegedly improperly accessed student-information systems, online learning programs, and college-counseling software in at least 10 states this school year. Often, their motivation was to change grades. And, typically, the hacks were technically unsophisticated, involving little more than students finding a teacher’s password or login credentials.

K-12 information-technology experts say the scope of the problem reflects an ongoing failure by schools and districts to take even the most basic measures to protect their networks.

“The biggest challenge to maintaining cybersecurity is not technology but people,” said Marie Bjerede, the principal for leadership initiatives at the Consortium for School Networking, a professional association for school technology officials.

The problem of students using computers to alter school records is nothing new. Consider, for example, the popular 1983 movie “War Games,” in which a young hacker played by Matthew Broderick nearly starts World War III—but not before breaking into his school’s network to change his and his girlfriend’s grades.

Thirty-five years later, similar incidents are still presenting challenges for K-12 leaders. Bolstering cybersecurity is one big issue. But figuring out how to appropriately discipline the students responsible has also proved vexing.

Hacker Prevention

K-12 cybersecurity experts suggest that schools take such basic measures to prevent against hacks as:

Train staff on good password practices: No sticky notes. Use long, complex passwords. Don’t repeat passwords across platforms. Consider password-management software.

Require two-factor authentication: Even if a hacker inappropriately obtains a password, he or she won’t be able to access a network without a second piece of information, such as a code sent to the legitimate user’s mobile device.

Be vigilant about ensuring role-based access to information: No one associated with a school should have access to more information than he needs to do his job.

Patch software regularly. Some more sophisticated hackers seek to exploit vulnerabilities in software. That can often be prevented by making sure programs are updated and patched regularly.

In some cases, districts have launched aggressive criminal investigations that have led to felony charges. Often, such prosecutions have occurred under state laws modeled after the federal Computer Fraud and Abuse Act, which makes it a crime to access certain computers or computing systems without authorization, said Tor Ekeland, a New York City-based defense lawyer who specializes in representing hackers and white-collar defendants.

That approach is often “overzealous” and often motivated by a desire to save face after weak cybersecurity practices are revealed, Ekeland and other experts say. For all but the most serious breaches involving K-12 students, the experts argue, school-based discipline is likely more appropriate.

“These are just kids,” Ekeland said. “If we prosecuted computer crimes in the 1970s like we do now, Steve Jobs and Bill Gates would have gone to jail, and we wouldn’t have Apple and Microsoft.”

Four student-hacking incidents from this school year represent similar problems across the country.

East Brewton, Ala.

Last month, Alabama Attorney General Steve Marshall announced the arrests of a student and teacher in the 4,500-student Escambia County district, charging them with the felony of computer tampering for allegedly altering grades at W.S. Neal High School.

Local news reports alleged that senior Matthew Hutchins had improperly accessed a school computer system (later identified as INow, a student-information and data-management system.) Special education teacher Lisa Odom was also arrested and charged with a felony in connection with the incident.

According to WEARTV.com, school officials noticed discrepancies in the grades of a number of students, prompting the district to delay its announcement of top student performers.

In an interview last month with AL.com, Escambia County Superintendent John Knott said that multiple students were involved and that a full review was underway. AL.com has also reported that an assistant principal’s login credentials were used to change grades over a six-month period.

The Escambia County board of education,the Alabama attorney general’s office, and lawyers for Hutchins and Odom did not respond to requests for comment from Education Week.

Both Hutchins and Odom face up to 10 years in prison if convicted.

In general, Ekeland, who is not directly involved in the Hutchins’ case, said K-12 administrators should think twice about why they’re pursuing such severe measures.

“The hacker bears some responsibility,” Ekeland said. “But a felony will follow a student for the rest of his life.”

Concord, Calif.

Sixteen-year old David Rotaro told California’s ABC13 Eyewitness News that a grade-changing scheme he executed was “like stealing candy from a baby.”

According to local television station KTVU, Rotaro, a sophomore at Ygnacio Valley High in the 32,000-student Mount Diablo district, executed a relatively sophisticated hack. Rotaro reportedly created a fake website that mirrored his district’s actual website, then sent a “phishing” email out to teachers in the hope that someone would use his or her actual login and password to access his site.

Mount Diablo staff are “routinely advised against opening suspected phishing or spam messages,” a district spokeswoman told Education Week. Still, a teacher bit on one of Rotaro’s messages, allowing the student to access the school’s computer system in order to change the grades of roughly a dozen students.

Rotaro, who told local news outlets he hopes to work in IT as a professional, has been charged with 14 felony counts, according to multiple media reports.

Education Week did not receive a response to messages left on a phone number believed to be associated with the student’s family.

Doug Levin, who tracks K-12 cybersecurity breaches through his consulting firm, Edtech Strategies, said the incident highlights the mixed messages schools are giving students.

“We’re telling kids that tech is the future and learning to code is where all the good jobs are,” Levin said. “It’s not surprising that they would use these tools to test limits, including with the school IT systems they know best.”

Tenafly, N.J.

A senior at high-performing Tenafly High allegedly breached the school’s student-information-management system and a software program used to submit college applications and transcripts, apparently because he felt pressure to improve his profile for Ivy League universities.

The school launched an investigation after a guidance counselor noticed the student’s grades had been altered, according to NorthJersey.com. The student was suspended, and his college applications were rescinded.

The local board of education filed two criminal charges against the student, according to the news outlet. An official said the Tenafly police department could not comment on the incident because it involved a juvenile. The Tenafly district did not respond to a request for comment.

In general, K-12 chief technology officers often underestimate the cybersecurity threats they face and fail to take basic precautions, according to a 2017 survey of school IT leaders administered by CoSN and the Education Week Research Center.

One-third of those surveyed said they hadn’t encouraged district staff to upgrade passwords, for example. Just 11 percent said they required two-factor authentication for district accounts.

But thanks to a steady drumbeat of hacking-related headlines, that could be changing, said Bjerede of CoSN.

“I think that awareness of cybersecurity issues has grown dramatically,” she said.

Gadsden, N.M.

Officials in the 14,000-student Gadsden school district notified parents that 55 students allegedly took part in a grade-changing scheme involving an online course.

The students apparently logged into a teacher account on Edgenuity, an online-course provider and grading platform, and changed a total of 456 grades, according to a statement provided by the district.

Five students were suspended, and the remainder will have to redo their work in the courses in which grades were changed in order to receive credit. Twenty-nine seniors were not eligible to graduate on time as a result of the incident.

The hack came to light because Edgenuity logs and time stamps all activities undertaken on each account on its software. But the issue at hand in Gadsden was poor password practices, a spokesperson for the company said.

Good password security ultimately “comes down to the individual entrusted with the password,” an Edgenuity spokesperson said in a statement.

Recurring problems on that front speak to a larger problem in the K-12 sector, said Levin of EdTech Strategies.

“The adults have to take responsibility, too,” Levin said. “If a 14-year old can penetrate your system this easily, you’re not locking the windows and doors like you should be.”

Research Librarian Holly Peele and Staff Writer Sarah Schwartz contributed to this story.
A version of this article appeared in the June 13, 2018 edition of Education Week as K-12 Schools Get Hit Hard By Hacking

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Leadership in Education: Building Collaborative Teams and Driving Innovation
Learn strategies to build strong teams, foster innovation, & drive student success.
Content provided by Follett Learning
School & District Management K-12 Essentials Forum Principals, Lead Stronger in the New School Year
Join this free virtual event for a deep dive on the skills and motivation you need to put your best foot forward in the new year.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Webinar
Navigating Modern Data Protection & Privacy in Education
Explore the modern landscape of data loss prevention in education and learn actionable strategies to protect sensitive data.
Content provided by  Symantec & Carahsoft

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Law & Courts Posting Ten Commandments in Schools Was Struck Down in 1980. Could That Change?
In 1980, the justices invalidated a Kentucky law, similar to the new Louisiana measure, requiring classroom displays of the Decalogue.
13 min read
Louisiana Gov. Jeff Landry signs bills related to his education plan on June 19, 2024, at Our Lady of Fatima Catholic School in Lafayette, La. Louisiana has become the first state to require that the Ten Commandments be displayed in every public school classroom, the latest move from a GOP-dominated Legislature pushing a conservative agenda under a new governor.
Louisiana Gov. Jeff Landry, a Republican, signs bills related to his education plan on June 19, 2024, at Our Lady of Fatima Catholic School in Lafayette, La. One of those new laws requires that the Ten Commandments be displayed in every public school classroom, but the law is similar to one from Kentucky that the U.S. Supreme Court struck down in 1980.
Brad Bowie/The Times-Picayune/The New Orleans Advocate via AP
Law & Courts Biden's Title IX Rule Is Now Blocked in 14 States
A judge in Kansas issued the third injunction against the Biden administration's rule granting protections to LGBTQ+ students.
4 min read
Kansas high school students, family members and advocates rally for transgender rights, Jan. 31, 2024, at the Statehouse in Topeka, Kan. On Tuesday, July 2, a federal judge in Kansas blocked a federal rule expanding anti-discrimination protections for LGBTQ+ students from being enforced in four states, including Kansas and a patchwork of places elsewhere across the nation.
Kansas high school students, family members and advocates rally for transgender rights, Jan. 31, 2024, at the Statehouse in Topeka, Kan. On Tuesday, July 2, a federal judge in Kansas blocked a federal rule expanding anti-discrimination protections for LGBTQ+ students from being enforced in four states, including Kansas, and a patchwork of places elsewhere across the nation.
John Hanna/AP
Law & Courts Student Says Snapchat Enabled Teacher's Abuse. Supreme Court Won't Hear His Case
The high court, over a dissent by two justices, decline to review the scope of Section 230 liability protection for social media platforms.
4 min read
The United States Supreme Court is seen in Washington, D.C., on July 1, 2024.
The U.S. Supreme Court is seen in Washington, D.C., on July 1, 2024. The high court declined on July 2 to take up a case about whether Snapchat could be held partially liable for a teacher's sexual abuse of a student.
Aashish Kiphayet/NurPhoto via AP
Law & Courts What the Supreme Court's Chevron Decision Could Mean for Biden's Title IX Rule
The decision overrules a 40-year-old precedent and could impact lawsuits challenging the final Title IX rule.
5 min read
Visitors pose for photographs at the U.S. Supreme Court on June 18, 2024, in Washington.
Visitors pose for photographs at the U.S. Supreme Court on June 18, 2024, in Washington. The high court on June 28 overruled a longtime precedent and held that courts, not federal agencies, have the primary authority to interpret ambiguous federal statutes.
Jose Luis Magana/AP