Sunday 24th June 2018

Students hack school system to change grades

The students also refunded their lunch purchases and modified attendance records.
Jason Smith
by on 20th May 2018
Data security

Two students at Bloomfield Hills High School hacked the school’s student information system to change their grades, and those of approximately 20 other students, according to an announcement on the school’s website.

While in the system, they also took the opportunity to change their attendance records and refund their lunch purchases.

According to the announcement, the students hacked the MISTAR student information system. It goes onto state, “We take seriously our responsibility to gather and store your information.

“Therefore, we have partnered with forensic data experts to pour over our student information system to better understand the access the students gained and the information potentially acquired during their time in our data”.

An FAQ page on the school’s website also states that, with the assistance of a forensic investigation, a report that may have contained parents’ usernames and passwords may have been run.

As a precaution, the school will reset all of its “Parent Portal” passwords on Monday 21st May, a move that will require all parents to reset their passwords when they next login to the system.

The page also states that the students gained access to the system after exploiting a vulnerability that has now been patched.

The School’s Superintendent, Rob Glass, published a video providing more detail about the incident on YouTube. In the video, he stated, “unfortunately, our students made some poor choices lately, deciding to hack into our student information system.

“…the consequences for these young individuals is likely to be severe. Cyber hacking is a federal crime and we’re working with the proper authorities to determine the appropriate discipline and legal ramifications”.

Overall, the school’s response to the hack is impressive. Not only did they inform all parents and stakeholders, they set-up an FAQ page, published a YouTube video and hired a forensic investigator.