You are using an older browser version. Please use a supported version for the best MSN experience.

News: Homepage News Stripe

Students wanted to win a water-gun fight — so they hacked thousands of records, school says

The Washington Post logo The Washington Post 10/21/2019 Hannah Knowles
a screen shot of a computer keyboard: (Kacper Pempel/Reuters) © Kacper Pempel/Reuters (Kacper Pempel/Reuters)

The high school students say they just wanted to win a water-gun fight.

But officials in their Pennsylvania school district say they took a senior-year tradition way too far, hacking into test scores and personal information of the district’s more than 12,000 students while trying to get the home addresses they say they wanted for a tactical edge.

Subscribe to the Post Most newsletter: Today’s most popular stories on The Washington Post 

Downingtown Area School District is calling it a crime — and considering whether to press charges in the latest incident of school systems falling prey to their students’ tech savvy.

“These actions are reprehensible and we are taking this attack very seriously,” Gary Mattei, the school district’s technology director, said in a statement, warning that hacking is a federal offense and that the “consequences for these young individuals is likely to be severe.”

The students got “teacher-level access” to systems and used “unethical coding methods” to extract far more than addresses, administrators say. They also obtained grade-point averages, SAT scores, phone numbers, ethnicities and other private information about every elementary, middle and high school student in the area.

None of the data accessed was tampered with, Mattei said, and no Social Security numbers or credit card information for students or parents was available for perusing. But the data taken could have been used for identity theft, district spokeswoman Jennifer Shealy told The Washington Post, although she added that administrators do not think the attack was malicious.

With an investigation ongoing, the district has yet to decide on a punishment.

“There are consequences to students’ actions,” Shealy said. “However, we do know that these are students, they’re kids — so it’s balancing that.”

The suspects have not been publicly identified, and the district isn’t saying how many are thought to have participated. Administrators said they started investigating the hacks after finding out on Oct. 11 about an attempt to compromise accounts for a site called Naviance, which provides college and career resources.

The hack was allegedly carried out as part of “senior water games,” Shealy said. It’s a local tradition modeled after “Assassin,” in which players typically try to eliminate one another over the course of days. The district is aware of the game and has told students not to play it on school property, Shealy said.

Teenagers have been known to go to extremes for the sake of an “Assassin” win: Police in New Hampshire once weighed criminal charges, including reckless driving, after students got into a car crash while playing.

“Students get caught up in the act of the game and they forget common sense,” said police Lt. Dean Killkelley of Merrimack, N.H., according to local station WCVB.

More schools are also becoming victims of big hacks perpetrated by students. Their systems tend to be easy targets, according to one teenager who has made it his mission to scout out and raise awareness of the vulnerabilities.

“The state of cybersecurity in education software is really bad, and not enough people are paying attention to it,” Bill Demirkapi told Wired, explaining how he had found bugs in popular school software that left 5 million records exposed.

A recent data breach at a Maryland high school involved Naviance, just like Downingtown’s hack. A student used what’s called a “brute force attack” — an automated attempt to guess log-in credentials — to download GPAs, test scores, contact information and even nicknames for about 1,400 peers, according to cybersecurity site SC Media.

Naviance blocked the suspicious activity within hours, SC Media reported, but it was too late. The illegally obtained information was allegedly shared with other students.

Shealy said cybersecurity is “a constant concern” for the Downingtown school district. All employees and students are changing their passwords after the breach, she said, and administrators are taking other steps to prevent a repeat.

Shealy declined to elaborate on those measures, though, saying she doesn’t want to give any future hackers clues.

Read more:

Iranians tried to hack U.S. presidential campaign in effort that targeted hundreds, Microsoft says

Qantas sets record for ultralong trip

Hundreds of students said goodbye to their lunch debt thanks to one man’s donation

AdChoices
AdChoices

More From The Washington Post

The Washington Post
The Washington Post
image beaconimage beaconimage beacon