More than 50 students at a New Mexico high school are facing disciplinary action after they used a teacher log-in to change their own grades on the school’s online course platform.
The Gadsden High School students logged into a teacher account on Edgenuity, an online course provider and grading platform, and changed a total of 456 grades, according to a statement from the Gadsden Independent School District. Five of the 55 students implicated have been suspended.
The students who altered their grades won’t receive credit for those courses, and the 29 seniors involved will not be eligible to graduate in the spring. All students will have the opportunity to make up work, including seniors, who will be able to qualify for diplomas in the summer.
Students used a teacher access code, similar to a password, to log in to the restricted Edgenuity account. All students who changed grades used the same code, according to the district’s statement.
“We regularly work with schools on how best to set permissions and organize administrator rights to ensure there are appropriate access limits to student grades,” a spokesperson for Edgenuity said in a statement. The company also recommends that schools clearly spell out the consequences for cheating and other academic dishonesty.
But password security—the issue at hand at Gadsden—ultimately “comes down to the individual entrusted with the password,” the Edgenuity spokesperson said.
How can teachers and other school staff ensure that their passwords stay private?
Some of the most effective safeguards are the most low-tech. Teachers should avoid keeping their passwords in a prominent place—like a sticky note near the computer—even though it may be convenient, said Marie Bjerede, the principal of leadership initiatives for the Consortium for School Networking. (The district didn’t provide details about how students obtained the teacher password at Gadsden.)
Small fixes like this can avoid bigger problems down the road. “Cybersecurity is everybody’s job,” said Bjerede, “It doesn’t just belong to IT.”
Students plotting interference in online gradebooks isn’t a new phenomenon.
Last year, a sophomore in Chicago accessed his high school’s PowerSchool grading system by sending phishing emails to his teachers, who then provided their usernames and passwords. In 2015, a high school senior in Long Island placed a keylogger—a program that records all keystrokes entered on a device—on a computer in the building. He used the captured log-ins to change his grades and rearrange the schedules of other students.
Despite these high-profile cases, it’s likely harder for most students to get unauthorized access to their grades in an online system than it would be if their teachers were using pen-and-paper gradebooks, said Bjerede, due to the security measures that these platforms put in place.
It also may be easier for educators to identify the students responsible. Edgenuity, for example, can provide school administrators with activity logs with every session on the platform, as well as the corresponding IP address for that session.
The best defense against against student hackers is the same one districts deploy against external threats, said Bjerede: a strong cybersecurity plan and regular trainings for teachers and staff.
CoSN’s cybersecurity planning and evaluation resources recommend that districts have clear procedures for how to report and document security issues and a response plan in place for cyber attacks.
A version of this news article first appeared in the Digital Education blog.