This student hacked his school system to change his grades, but leaked other students’ data

You never know where a hacker might appear. Digital forensics specialists report that a teenager managed to infiltrate the systems of a high school in the suburbs of Maryland, US, to extract personal information, academic registers, and SAT test scores from more than 1300 students.

In a statement, Montgomery County revealed that the young man had accessed and downloaded the compromised data last October 3rd by accessing Naviance, an online software used by students at Wheaton High School and other schools in the district to prepare some matters on their college life.

According to the county’s digital forensics specialists, the student developed an algorithm capable of testing multiple combinations of usernames and passwords to access the online system, a kind of brute force attack. As a minor, the identity of the hacker has not been revealed.

In this regard, Hobsons, the company responsible for the Naviance system, issued a statement mentioning that “immediate action was taken to contain and mitigate the impact of the intrusion.” The company also claims that it notified all public schools in the county and is working with those involved to ensure the integrity of the rest of Naviance’s accounts. “The security of the students’ information in these schools is one of our main obligations and responsibilities,” the company’s website says.

Derek Turner, a spokesman for the Montgomery School District, mentioned that in addition to the disciplinary action imposed by school authorities, the student responsible for the intrusion could face criminal charges. Due to the incident, Naviance had to reset the passwords of all the students in the county.

In total, the accounts of 1,343 students and one parent were affected by the incident. Exposed records include data such as:

  • Full names
  • Contact details
  • Ethnicity
  • Gender
  • Standardized test (such as SAT) scores and school grade averages

The Maryland school system claims that students’ financial information and social security numbers were not compromised.

Hobsons’ digital forensics experts mention that the intrusion would have occurred around 8 p.m. on October 3rd. Just hours later, Naviance staff detected suspicious activity and blocked the source IP. That same night Hobsons reset the passwords of all users in the county and notified the potentially affected schools.

Local authorities and the affected school began an investigation to find the person responsible, who was identified a few days later in possession of some devices possibly used during the intrusion. Authorities believe the extracted information could have been shared with at least two other students.

According to the digital forensics specialists from the International Institute of Cyber Security (IICS), everything indicated that the teen planned to modify his school grades. However, it is still clear whether the student accessed this pre-university system incidentally or if he acted intentionally by seeking personal details about his classmates.