Montgomery County Public Schools Suffers Data Breach Affecting 6,000 Student Accounts

Montgomery County Public Schools has suffered a data breach at the hands of a student, compromising the data of nearly 6,000 students.

Montgomery has put out a Data Incident Response report informing their student body and surrounding community that the student in question accessed Naviance, an online college and career readiness solution program. Furthermore, a forensic analysis by the police in November found that the student not only breached the accounts of his fellow peers, but also accessed accounts from five other Montgomery County Schools.

The six affected schools in the Montgomery, Maryland are Wheaton High School, Montgomery Blair High School, Julius West Middle School, Argyle Middle School, Parkland Middle School and A. Mario Loiederman Middle School. The breach took place on October 3rd.

The breach was executed using a brute force attack, in which an attacker submits multiple passwords in an attempt to guess correctly, using trial and error to eventually gain access to other student’s accounts. The type of information exposed included name, date of birth, ethnicity, gender, address, phone number, GPA, email address, school counselor, grade level, student ID, SAT and PSAT scores, ACT scores, and IB scores.

The Data Incident Report, released on November 25th, reveled that the district executed a mandatory, district-wide password reset for all Naviance user’s accounts, a procedure that should be mandatory in the wake of any breach. The student was eventually apprehended by Montgomery County Public Schools and the Montgomery County Police Department. The MCPD took possession of the student’s technology devices to investigate the case further. The student currently faces disciplinary actions from the school, as well as potential criminal charges from the police department. The police department also came to the conclusion that the student did not share the information with anyone else.

Montgomery’s Data Incident Report concluded with providing salient advice for parents that are worried about their child’s identity being stolen.

• The report suggest that parents should request a credit freeze on their children’s accounts. A credit freeze locks a user’s data within the reporting agency (eg. Equifax, Experien, TransUnion) until the user consents to the release of their data. This effectively prevents financial identity theft in any case where you know your data has been breached
• They also suggest checking to see if your child has a credit report. Indeed, if you kid has a credit report, the bureau can send you a copy so you can look over the information, and remove any fraudulent accounts connected to the report.
• The report concludes with suggesting that parents check out the FTC’s Child Identity Theft information page, which provides useful information on warning signs of identity theft, as well as instructions on checking a credit report, repairing the damage, and limiting risks ahead of time .

These instructions are all useful emergency responses in the wake of a breach. Understanding the specific ways that kid’s information is collected, used, stored, and how to access that information is important for your child’s cyber safety.