Education Week - October 11, 2017 - 7
DIGITAL DIRECTIONS > TRACKING NEWS AND IDEAS IN EDUCATIONAL TECHNOLOGY
Schools Pick Up the Pieces After Twitter Accounts Hacked
tweets sent out
By Benjamin Herold
Use a long, complex
password for each
platform and update it
Do not use the same
password for multiple
basically means that after
entering a password, a user
completes a second step-
often entering a code that
is sent by text message-in
order to access an account.
choices about limiting
access to certain websites.
One administrator, or a small
group of people, should be
the sole operator of a thirdparty hosted account.
Set up a crisis
management plan in
advance to ensure district or
school officials are prepared
to run damage control in
the event of a breach. Those
officials will have to reset
passwords and contact
Train teachers and
to identify phishing scams.
Hackers use these email
scams to trick recipients
into giving away their
login information for email
accounts and websites.
SOURCES: C. Blohm & Associates,
CoSN, EdTech Strategies
The trouble for Foothill High
started at 2 p.m. on a Tuesday afternoon last month.
That's when a stream of profane
and offensive messages started appearing on the official Twitter account of the 2,600-student school
near Las Vegas.
Among them: taunts about the
school's "weak weak security system," a photo of a school administrator altered in a vulgar way, and
anarchist images and messages.
Back in June, hackers took control of the official Twitter account
of Florida's 40,000-student St.
Lucie school district. Among the
posts that went out to St. Lucie's
2,700 followers: a graphic photo
of lynched African-Americans, as
well as a racist message that said,
"After Heavy Consideration, Our
District Has Decided To Ban All African Americans From Our School
District. Thank You!"
Both incidents represent a convergence of issues that are increasingly bedeviling K-12 systems:
inappropriate uses of social media,
and a wide range of cybersecurity
And while they so far appear to
be unusual, the Twitter-account
hackings in Florida and Nevada
raise important questions for
school officials and tech companies alike, said Douglas A. Levin,
the president of consulting group
What security steps should
schools be taking to better secure
their social-media accounts? What
should happen to students who
share offensive content posted by
hackers? And how can companies
like Twitter respond more quickly
to such instances after they occur?
In St. Lucie, for example, the racist posts remained public for nearly
12 hours, sparking outrage from
the district superintendent.
And in Nevada, it took almost
two days to get the offensive messages removed.
That's a big problem, Levin said.
"There's not any gray area here,"
he said. "The accounts were compromised, and what was published
was clearly inappropriate and
clearly not something the districts
Foothill High's principal declined a
request to be interviewed.
A spokeswoman for St. Lucie
schools likewise declined to comment or provide an update on the
hacking incident there, citing the
ongoing challenges the district faces
as it responds to flooding caused by
Hurricane Irma earlier this month.
It does not appear that any arrests
have been made in either case. Investigations appear to be ongoing in
Public schools have no legal basis whatsoever to discipline students
based on sharing digital content from the school district's own
accounts, regardless of the situation."
One big question that remains unanswered: How were the school and
district Twitter accounts compromised in the first place?
In the case of St. Lucie, the hackers
offered some pretty big clues.
During an interview with local
television station CBS12, a representative of a group calling itself
Cryo Squad said it had targeted the
district "because it was extremely
vulnerable and they have little to no
Levin of EdTech Strategies said
it would be no surprise if poor security practices played a role in the
There are two big, basic steps that
Levin and other experts recommend
schools take to prevent social media
accounts from being compromised.
"Having a strong password and
keeping it confidential is important,"
Levin said. "It's also important to enable the advanced security features
that most platforms offer, especially
On passwords, Levin advised
schools to make sure they're long and
complicated; to not reuse the same
passwords for multiple services; and
to consider using password-management software.
Two-factor authentication basically means that after entering a
password, a user must complete a
second step-often entering a code
that is sent by text message-in
order to access an account. That way,
even if a password is compromised,
hackers still won't have all the information they need to take control
of an account. Most platforms allow
users to opt into such features by adjusting their settings.
With all the other cybersecurity
challenges districts are facing, it
can be easy to overlook such steps,
Levin said. And while losing con-
trol of a school Twitter account is a
major nuisance, it's different than
having confidential employee or
student information stolen from
other software systems.
But given how difficult it can be
to restore order after a social-media
account has already been hacked,
he said, an ounce of prevention is
clearly worth the effort.
Back in Nevada, one of the challenges faced by district administrators and leaders at Foothill High
was how to respond if students
shared the inappropriate content
hackers posted on the school's Twitter account.
After the hacking took place, the
district released a statement saying
"any student found to be involved in
sharing or retweeting this content
could face disciplinary action."
In an email, a district spokesman
said Clark County's cyberbullying
policy was the basis for that stance.
The spokesman added that "parents
were contacted directly by school administrators if there were concerns
with their child regarding this incident."
But Bradley Shear, a Marylandbased lawyer who focuses on privacy
and social-media law, said any such
punishment meted out for sharing
social-media content would likely be
illegal and would almost certainly
open a can of worms.
"Public schools have no legal basis
whatsoever to discipline students
based on sharing digital content
from the school district's own accounts, regardless of the situation,"
Besides, he asked, how could the
district know for sure that it was actually the student, and not someone
else using their account, who shared
the content? Under what other circumstances would schools presume
to monitor and regulate students' outside-of-school social media postings?
"The bottom line is that [Clark
County's] threat is not only very
troubling, but also hollow," Shear
said. "If they do discipline a student
for sharing the content, they will lose
any lawsuit arising out of the matter."
And then there's the matter of getting the offensive content taken down
after it appears.
Trouble Reaching Twitter
The Clark County spokesman declined to specify exactly how long Foothill's account was compromised, but it
appeared to be under external control
for well over three days.
And in remarks at a news conference that were reported by local
station WPTV, St. Lucie superintendent Wayne Gent fumed at how
long it took Twitter to remove the
racist messages posted from his district's account.
"I was mad as hell," Gent said during the news conference. "There's not
a hotline that you can contact or a
hotline that you can call. It's done
through emails, it's done through
texting and we could not get a response from [Twitter.]"
Levin of EdTechStategies said
that's unfortunate, but not surprising.
Platforms such as Twitter are awash
in offensive, abusive, and otherwise
problematic content, and they are
even getting called to testify before
Congress for their roles in enabling
foreign governments to spread misinformation and meddle in elections.
And their strategy of relying on algorithms and technology to respond to
problems doesn't appear to be working
very well, he added.
"I think one lesson for schools is
that if you're going to use free, cloudbased services, it may be very challenging to reach someone who can
help you in a timely manner," he said.
"You're really at their mercy."
Twitter officials did not respond
to requests for comments sent via
EDUCATION WEEK | October 11, 2017 | www.edweek.org | 7