AOH :: ISN-3144.HTM

NB students suspended for hacking




NB students suspended for hacking
NB students suspended for hacking



http://www.ecmpostreview.com/2006/October/12nbstsufoha.html 

By Patrick Tepoorten
10/12/06

The North Branch school district very recently discovered that a number 
of students were able to hack the personal identification numbers (PIN) 
of both staff and students, and have had access to meal and media center 
accounts, as well as protected media lab information, since last 
February. Now, high school students responsible for the security breach 
have been suspended, others may be disciplined, and the district is 
scrambling to assign new PIN numbers for students and staff.

While the information the students had access to would be considered 
personal in nature, at no time did the students have access to protected 
private data like health records, grades, or financial information such 
as credit card numbers. That information is protected by separate 
systems that were in no way compromised by this breach of security, 
according to the district.

The theft of PIN numbers was discovered roughly a week ago by a computer 
lab manager doing routine file clean-up on a school computer. The 
employee noticed an unusual file that was determined to be a complete 
list of students and staff with corresponding PIN numbers. Further 
investigation led to the discovery that the information had been 
accessed in February of this year.

The file containing the PIN numbers was discovered by the students as 
part of a daily upload of information from the lunch room to a district 
on-line data base where information is stored.

The file containing the PIN numbers was then saved to a different 
location by the students. It is not believed that the students in 
question qualify as computer savvy students that went looking for this 
information. According to district media relations coordinator Sara 
Thompson, the information appears to have fallen into the students' 
laps.

Likely the primary reason the breach was not discovered sooner is that 
the students do not appear to have used the information for any purpose. 
There is no evidence that students used the PIN numbers to eat lunch or 
check out library books on anothers account, or accessed anyones media 
lab account, which serves as a network storage space for student 
assignments.

To address the situation, the district sent a letter on Oct. 11 to 
parents in the district. The letter makes parents aware of the situation 
and that they will be issued a new PIN number by Oct. 23. Until then the 
data will continue to be accessible using existing PIN numbers. In order 
to increase the level of security and eliminate the risk of repeating 
existing PINs, the district will issue five-digit PINs instead of four.

A flyer will be sent home with younger students as well, and the 
district is expected to address the situation in the Oct. 25 edition of 
School News, the weekly column published by the district in the Post 
Review. A second letter to parents will be sent later this month and is 
expected to include new PINs.

As well as new PINs, the district is addressing weaknesses in its own 
security that allowed the breach to occur.

While the most sensitive of district data was not compromised, the 
situation has caused a headache for staff. Thompson estimated the cost 
of making parents, students, and staff aware of the breach at 
approximately $3,000.

The amount of hours dedicated to investigating the breach, which 
included multiple staff members, has not been tallied but is considered 
to be much higher.

Additionally, staff and students will have to learn new PIN numbers, 
which is expected to create short-lived problems, especially in 
cafeterias.

Due to policy, the district is not allowed to verify how many students 
were involved, when they were suspended, or for how long they were 
suspended. It is known that more than one student has been suspended and 
that policy 506 calls for a suspension of no longer than 10 days. It is 
also known that a number of the students involved have had their 
computer privileges revoked for the remainder of the school year.

The district has no plans to pursue criminal charges against any of the 
students involved.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods