Education Week - June 13, 2018 - 10
DIGITAL DIRECTIONS > TRACKING NEWS AND IDEAS IN EDUCATIONAL TECHNOLOGY
Districts Criticized for Harsh Responses to Student Hackers
CONTINUED FROM PAGE 1
professional association for school
The problem of students using
computers to alter school records
is nothing new. Consider, for example, the popular 1983 movie
"War Games," in which a young
hacker played by Matthew Broderick nearly starts World War III-
but not before breaking into his
school's network to change his and
his girlfriend's grades.
Thirty-five years later, similar
incidents are still presenting challenges for K-12 leaders. Bolstering
cybersecurity is one big issue. But
figuring out how to appropriately
discipline the students responsible
has also proved vexing.
In some cases, districts have
launched aggressive criminal investigations that have led to felony
charges. Often, such prosecutions
have occurred under state laws
modeled after the federal Computer Fraud and Abuse Act, which
makes it a crime to access certain
computers or computing systems
without authorization, said Tor
Ekeland, a New York City-based
defense lawyer who specializes in
representing hackers and whitecollar defendants.
That approach is often "overzealous" and often motivated by a
desire to save face after weak cybersecurity practices are revealed,
Ekeland and other experts say. For
all but the most serious breaches
These are just kids.
If we prosecuted
computer crimes in
the 1970s like we do
now, Steve Jobs and
Bill Gates would have
gone to jail, and we
wouldn't have Apple
K-12 cybersecurity experts suggest that schools take
such basic measures to prevent against hacks as:
Train staff on good password practices: No sticky notes.
Use long, complex passwords. Don't repeat passwords
across platforms. Consider password-management software.
Require two-factor authentication: Even if a hacker
inappropriately obtains a password, he or she won't be able
to access a network without a second piece of information, such
as a code sent to the legitimate user's mobile device.
Be vigilant about ensuring role-based access to
information: No one associated with a school should have
access to more information than he needs to do his job.
Patch software regularly. Some more sophisticated
hackers seek to exploit vulnerabilities in software. That can
often be prevented by making sure programs are updated and
involving K-12 students, the experts argue, school-based discipline
is likely more appropriate.
"These are just kids," Ekeland
said. "If we prosecuted computer
crimes in the 1970s like we do now,
Steve Jobs and Bill Gates would
have gone to jail, and we wouldn't
have Apple and Microsoft."
Four student-hacking incidents
from this school year represent
similar problems across the country.
>> EAST BREW TON, AL A.
Last month, Alabama Attorney
General Steve Marshall announced
the arrests of a student and teacher
in the 4,500-student Escambia
County district, charging them
with the felony of computer tampering for allegedly altering grades at
W.S. Neal High School.
Local news reports alleged that
senior Matthew Hutchins had improperly accessed a school computer
system (later identified as INow, a
student-information and data-management system.) Special education
teacher Lisa Odom was also arrested and charged with a felony in
connection with the incident.
According to W EA RT V.com,
school officials noticed discrepancies in the grades of a number of
students, prompting the district to
delay its announcement of top student performers.
In an interview last month with
AL.com, Escambia County Superintendent John Knott said that
multiple students were involved
and that a full review was underway. AL.com has also reported
that an assistant principal's login
credentials were used to change
grades over a six-month period.
The Escambia County board of
education,the Alabama attorney
general's office, and lawyers for
Hutchins and Odom did not respond to requests for comment from
Both Hutchins and Odom face up
to 10 years in prison if convicted.
In general, Ekeland, who is not
directly involved in the Hutchins'
case, said K-12 administrators
should think twice about why
they're pursuing such severe measures.
"The hacker bears some responsibility," Ekeland said. "But a
felony will follow a student for the
rest of his life."
>> CONCORD, CALIF.
Sixteen-year old David Rotaro
told California's ABC13 Eyewitness News that a grade-changing
scheme he executed was "like stealing candy from a baby."
According to local television station KTVU, Rotaro, a sophomore
at Ygnacio Valley High in the
32,000-student Mount Diablo district, executed a relatively sophisticated hack. Rotaro reportedly
created a fake website that mirrored his district's actual website,
then sent a "phishing" email out to
teachers in the hope that someone
would use his or her actual login
and password to access his site.
Mount Diablo staff are "routinely
advised against opening suspected
phishing or spam messages," a district spokeswoman told Education
Week. Still, a teacher bit on one of
Rotaro's messages, allowing the
student to access the school's computer system in order to change the
grades of roughly a dozen students.
Rotaro, who told local news outlets he hopes to work in IT as a professional, has been charged with 14
felony counts, according to multiple
Education Week did not receive
a response to messages left on a
phone number believed to be associated with the student's family.
Doug Levin, who tracks K-12 cybersecurity breaches through his
consulting firm, Edtech Strategies,
said the incident highlights the mixed
messages schools are giving students.
"We're telling kids that tech is
the future and learning to code is
where all the good jobs are," Levin
said. "It's not surprising that they
would use these tools to test limits,
including with the school IT systems they know best."
>> TENAFLY, N.J.
A senior at high-performing
Tenafly High allegedly breached
the school's student-informationmanagement system and a software program used to submit college applications and transcripts,
apparently because he felt pressure to improve his profile for Ivy
The school launched an investigation after a guidance counselor noticed the student's grades
had been altered, according to
NorthJersey.com. The student was
suspended, and his college appli-
cations were rescinded.
The local board of education filed
two criminal charges against the
student, according to the news outlet. An official said the Tenafly police department could not comment
on the incident because it involved
a juvenile. The Tenafly district did
not respond to a request for comment.
In general, K-12 chief technology
officers often underestimate the cybersecurity threats they face and
fail to take basic precautions, according to a 2017 survey of school
IT leaders administered by CoSN
and the Education Week Research
One-third of those surveyed said
they hadn't encouraged district
staff to upgrade passwords, for example. Just 11 percent said they
required two-factor authentication
for district accounts.
But thanks to a steady drumbeat
of hacking-related headlines, that
could be changing, said Bjerede of
"I think that awareness of cybersecurity issues has grown dramatically," she said.
>> GADSDEN, N.M.
Officials in the 14,000-student
Gadsden school district notified
parents that 55 students allegedly took part in a grade-changing
scheme involving an online course.
The students apparently logged
into a teacher account on Edgenuity, an online-course provider and
grading platform, and changed a
total of 456 grades, according to a
statement provided by the district.
Five students were suspended,
and the remainder will have to redo
their work in the courses in which
grades were changed in order to
receive credit. Twenty-nine seniors
were not eligible to graduate on
time as a result of the incident.
The hack came to light because
Edgenuity logs and time stamps all
activities undertaken on each account on its software. But the issue
at hand in Gadsden was poor password practices, a spokesperson for
the company said.
Good password security ultimately "comes down to the individual entrusted with the password,"
an Edgenuity spokesperson said in
Recurring problems on that front
speak to a larger problem in the
K-12 sector, said Levin of EdTech
"The adults have to take responsibility, too," Levin said. "If a 14-year
old can penetrate your system this
easily, you're not locking the windows and doors like you should be."
Research Librarian Holly Peele and Staff
Writer Sarah Schwartz contributed to
Visit the DIGITAL EDUCATION blog,
which tracks news and trends on
this issue. www.edweek.org/blogs
10 | EDUCATION WEEK | June 13, 2018 | www.edweek.org