Personal information, SAT scores and GPAs of nearly 1,350 students at a suburban Maryland high school were exposed after a student figured out the username and password needed to access the data, school officials said.

The student allegedly downloaded demographic data Oct. 3 associated with Wheaton High School students’ accounts on Naviance, an online program that students in the Montgomery County school system use to prepare for college and careers, according to a statement posted on the district’s website.

Derek Turner, a spokesman for Montgomery County Public Schools, said the student wrote a program or algorithm that tried various combinations of usernames and passwords. The student does not attend Wheaton High, and Turner declined to identify the student because the person is a minor.

AD

Officials for Hobsons, the company that owns Naviance, said in a statement late Tuesday that it “immediately took action to contain and mitigate the impact and notify Montgomery County Public Schools” within 24 hours and is working with the school system to “ensure ongoing security of its accounts.”

AD

Hobsons referred other questions about the attack to the school system.

The student responsible for the online attack could face criminal charges in addition to disciplinary action by the district, school system officials said. The breach prompted the school system to reset the Naviance passwords of all Montgomery County students.

In the statement, school system officials said the district “immediately took steps to secure the platform and began an investigation to identify the unauthorized user. The threat has now been eliminated.”

AD

The accounts of 1,343 students and one parent were affected, the statement said. The information included students’ names, contact information, ethnicity and gender. It also included students’ highest scores on SAT, ACT, PSAT and International Baccalaureate exams.

AD

Social Security numbers, banking and credit card information were not part of the breach, according to the school system.

The attack allegedly happened during two hours starting at 8:10 p.m. Oct. 3, according to the school system. Naviance discovered the suspicious activity at 10:14 p.m. and blocked the IP address responsible for the attack, according to the district.

The college prep company immediately reset the passwords of the accounts that were affected and alerted Montgomery County schools the next day.

AD

School and police officials began an investigation Oct. 7 and have identified the student they said is responsible for the breach. School system officials said they believe the information was shared with at least two other students. Police have confiscated the students’ technological devices as part of an ongoing investigation.

AD

On its website, Naviance describes itself as a “comprehensive college and career readiness platform” that helps middle- and high school students explore college and career interests. The company, according to its website, takes “very seriously our obligations and responsibilities to act as good stewards of the student data that schools and districts entrust to us.”

AD
AD