Downingtown Area School District is calling it a crime — and considering whether to press charges in the latest incident of school systems falling prey to their students’ tech savvy.
“These actions are reprehensible and we are taking this attack very seriously,” Gary Mattei, the school district’s technology director, said in a statement, warning that hacking is a federal offense and that the “consequences for these young individuals is likely to be severe.”
The students got “teacher-level access” to systems and used “unethical coding methods” to extract far more than addresses, administrators say. They also obtained grade-point averages, SAT scores, phone numbers, ethnicities and other private information about every elementary, middle and high school student in the area.
None of the data accessed was tampered with, Mattei said, and no Social Security numbers or credit card information for students or parents was available for perusing. But the data taken could have been used for identity theft, district spokeswoman Jennifer Shealy told The Washington Post, although she added that administrators do not think the attack was malicious.
With an investigation ongoing, the district has yet to decide on a punishment.
“There are consequences to students’ actions,” Shealy said. “However, we do know that these are students, they’re kids — so it’s balancing that.”
The suspects have not been publicly identified, and the district isn’t saying how many are thought to have participated. Administrators said they started investigating the hacks after finding out on Oct. 11 about an attempt to compromise accounts for a site called Naviance, which provides college and career resources.
The hack was allegedly carried out as part of “senior water games,” Shealy said. It’s a local tradition modeled after “Assassin,” in which players typically try to eliminate one another over the course of days. The district is aware of the game and has told students not to play it on school property, Shealy said.
Teenagers have been known to go to extremes for the sake of an “Assassin” win: Police in New Hampshire once weighed criminal charges, including reckless driving, after students got into a car crash while playing.
“Students get caught up in the act of the game and they forget common sense,” said police Lt. Dean Killkelley of Merrimack, N.H., according to local station WCVB.
More schools are also becoming victims of big hacks perpetrated by students. Their systems tend to be easy targets, according to one teenager who has made it his mission to scout out and raise awareness of the vulnerabilities.
“The state of cybersecurity in education software is really bad, and not enough people are paying attention to it,” Bill Demirkapi told Wired, explaining how he had found bugs in popular school software that left 5 million records exposed.
A recent data breach at a Maryland high school involved Naviance, just like Downingtown’s hack. A student used what’s called a “brute force attack” — an automated attempt to guess log-in credentials — to download GPAs, test scores, contact information and even nicknames for about 1,400 peers, according to cybersecurity site SC Media.
Naviance blocked the suspicious activity within hours, SC Media reported, but it was too late. The illegally obtained information was allegedly shared with other students.
Shealy said cybersecurity is “a constant concern” for the Downingtown school district. All employees and students are changing their passwords after the breach, she said, and administrators are taking other steps to prevent a repeat.
Shealy declined to elaborate on those measures, though, saying she doesn’t want to give any future hackers clues.