Student hacks Broward Schools and accesses personal information
Technorati Tag: Security Breach
Date Reported:
3/23/08
Organization:
Broward County Public Schools
Contractor/Consultant/Branch:
None
Victims:
District employees and students
Number Affected:
38,000
Types of Data:
"Social Security numbers, addresses, birth dates, names and other personal information"
Breach Description:
"A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records."
Reference URL:
South Florida Sun-Sentinel
Report Credit:
Joel Marino, South Florida Sun-Sentinel
Response:
From the online source cited above:
A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records.
Investigators also found information about students at the high school he attended, a host of password hacker programs and credit card generators — or software that can falsify credit card information — in a school computer used in February by Michael Wasa, 18, of Tamarac, a search warrant said.
[Evan] Why aren't these computers locked-down? High school students (for the most part) are very "high risk" users. The computers should be well hardened and internet access should be restricted to acceptable site visits.
He was suspended March 6 pending expulsion, but no charges or arrests have been made, said district spokesman Keith Bromery. Investigators also are trying to determine if Wasa worked alone.
A student at J.P. Taravella High in Coral Springs, Wasa was taking several computer classes at the Atlantic Technical Center in Coconut Creek when police say he first accessed the district's database a month ago.
A teacher at the technical school became suspicious of illegal activity after she was unable to access a classroom computer Wasa used on Feb. 26.
The school's information technology team found decrypting software had been downloaded, allowing the user to break into a database and collect teacher and student information from the entire Broward County school system.
School administrators asked Wasa about the hacking on March 4. The records say Wasa "readily admitted he hacked into the school board servers without authorization."
[Evan] Naïve.
He was asked to turn in a thumb drive, which he said contained emergency contact information for Taravella's 3,000 students.
Wasa also is suspected of collecting the Social Security numbers, addresses, birth dates, names and other personal information of district employees ranging from teachers to bus drivers. "There's still no reason to believe that there was criminal intent or that he did anything with the information he was able to retrieve," Bromery said.
[Evan] Breaking into the school's computer systems is against the law. Michael Wasa also had "credit card generators" in his possession. Yet, "There's still no reason to believe that there was criminal intent"?!
Melissa Grimm, a district project manager, told the district's audit committee that the student hacked Pinnacle, an electronic grade book. Both Grimm and Bromery said the payroll has not been affected.
[Evan] Pinnacle Gradebook is made by Excelsior Software. I don't know of any known vulnerabilities and/or exploits for Pinnacle so I wonder if it was just poorly secured in the first place, much like the desktop computer was.
Coconut Creek police, the Broward Sheriff's Office and a district investigations unit are reviewing the case; even the U.S. Secret Service has volunteered to help, said Joe Melita, head of the district's special investigative unit.
[Evan] Sheesh, this has to be intimidating to a high schooler.
"It's a serious matter any time the protection of employee records comes into question," Melita said. "This affects a lot of employees, so we want them to feel comfortable that their information is secure.
[Evan] But their information is NOT secure.
Commentary:
Michael Wasa may have hacked into the school's systems because he was curious, maybe he thought it would be challenge that he could brag about, or maybe he actually had more sinister plans to use the personal information for criminal gain. The fact that he had "credit card generators" in his possession lends some credence to the latter.
Schools that provide computers for their students need to make sure that adequate information security is not forgotten on those computers. For instance, there is no need for a student to have unrestricted internet access, local administrative rights, the ability to install software, etc.
Pinnacle Gradebook is a widely used tool by many schools throughout the country, along with Infinite Campus. I applaud these schools for their intent to provide better school/teacher/parent communication by capitalizing on technology, but equally important are potential security implications.
Past Breaches:
Unknown
Date Reported:3/23/08
Organization:
Broward County Public Schools
Contractor/Consultant/Branch:
None
Victims:
District employees and students
Number Affected:
38,000
Types of Data:
"Social Security numbers, addresses, birth dates, names and other personal information"
Breach Description:
"A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records."
Reference URL:
South Florida Sun-Sentinel
Report Credit:
Joel Marino, South Florida Sun-Sentinel
Response:
From the online source cited above:
A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records.
Investigators also found information about students at the high school he attended, a host of password hacker programs and credit card generators — or software that can falsify credit card information — in a school computer used in February by Michael Wasa, 18, of Tamarac, a search warrant said.
[Evan] Why aren't these computers locked-down? High school students (for the most part) are very "high risk" users. The computers should be well hardened and internet access should be restricted to acceptable site visits.
He was suspended March 6 pending expulsion, but no charges or arrests have been made, said district spokesman Keith Bromery. Investigators also are trying to determine if Wasa worked alone.
A student at J.P. Taravella High in Coral Springs, Wasa was taking several computer classes at the Atlantic Technical Center in Coconut Creek when police say he first accessed the district's database a month ago.
A teacher at the technical school became suspicious of illegal activity after she was unable to access a classroom computer Wasa used on Feb. 26.
The school's information technology team found decrypting software had been downloaded, allowing the user to break into a database and collect teacher and student information from the entire Broward County school system.
School administrators asked Wasa about the hacking on March 4. The records say Wasa "readily admitted he hacked into the school board servers without authorization."
[Evan] Naïve.
He was asked to turn in a thumb drive, which he said contained emergency contact information for Taravella's 3,000 students.
Wasa also is suspected of collecting the Social Security numbers, addresses, birth dates, names and other personal information of district employees ranging from teachers to bus drivers. "There's still no reason to believe that there was criminal intent or that he did anything with the information he was able to retrieve," Bromery said.
[Evan] Breaking into the school's computer systems is against the law. Michael Wasa also had "credit card generators" in his possession. Yet, "There's still no reason to believe that there was criminal intent"?!
Melissa Grimm, a district project manager, told the district's audit committee that the student hacked Pinnacle, an electronic grade book. Both Grimm and Bromery said the payroll has not been affected.
[Evan] Pinnacle Gradebook is made by Excelsior Software. I don't know of any known vulnerabilities and/or exploits for Pinnacle so I wonder if it was just poorly secured in the first place, much like the desktop computer was.
Coconut Creek police, the Broward Sheriff's Office and a district investigations unit are reviewing the case; even the U.S. Secret Service has volunteered to help, said Joe Melita, head of the district's special investigative unit.
[Evan] Sheesh, this has to be intimidating to a high schooler.
"It's a serious matter any time the protection of employee records comes into question," Melita said. "This affects a lot of employees, so we want them to feel comfortable that their information is secure.
[Evan] But their information is NOT secure.
Commentary:
Michael Wasa may have hacked into the school's systems because he was curious, maybe he thought it would be challenge that he could brag about, or maybe he actually had more sinister plans to use the personal information for criminal gain. The fact that he had "credit card generators" in his possession lends some credence to the latter.
Schools that provide computers for their students need to make sure that adequate information security is not forgotten on those computers. For instance, there is no need for a student to have unrestricted internet access, local administrative rights, the ability to install software, etc.
Pinnacle Gradebook is a widely used tool by many schools throughout the country, along with Infinite Campus. I applaud these schools for their intent to provide better school/teacher/parent communication by capitalizing on technology, but equally important are potential security implications.
Past Breaches:
Unknown
Posts Atom 1.0
Comments