A brute-force hack in October in which a student gained access to the personal data of other students attending a public school district in Maryland was more extensive than originally thought, the district has announced.
Montgomery County Public Schools, a preK-12 district with 208 schools, announced last October that a Naviance system, an online platform for college and career readiness, was hacked by a student who gained access to the data of 1,344 students attending Wheaton High School. The district and the Montgomery County Police Department identified the student, who now faces possible criminal charges.
But on Nov. 25, the district released a second notice, explaining that police discovered the data breach actually extended to 5,962 user accounts across six schools. A forensic analysis of the suspect’s devices, the notice says, revealed that an initial series of attacks using the same technique in September granted the suspect access to data at other schools: Montgomery Blair High School, Julius West Middle School, Argyle Middle School, Parkland Middle School and A. Mario Loiederman Middle School.
Police have said they don’t believe the student shared any of the exposed data and that the data does not include Social Security or financial information. Rather, it included 18 other data sets, including student ethnicities, GPAs, standardized test scores, addresses and phone numbers.
While the September breaches went undetected until recently, the attack on Oct. 3 was quickly detected by Naviance, which, according to the district, blocked the IP address of the attacker and automatically reset the passwords of the affected users.
“MCPS is committed to safeguarding the privacy and security of our students, families, and staff and MCPS sincerely regrets that this incident has occurred. MCPS takes this event very seriously and has implemented improvements to prevent such unauthorized access from happening again,” the district’s recent notice says.
The district is telling parents to monitor student credit reports and freeze their credit through the credit bureaus.