[BreachExchange] Data breach exposed personal info of nearly 6, 000 Montgomery County student accounts

Destry Winant destry at riskbasedsecurity.com
Wed Dec 4 10:09:11 EST 2019


Nearly 6,000 accounts containing the personal information of students
in Montgomery County, Maryland, were exposed due to data breaches that
went as far back as September.

The school system and Montgomery County police determined that a total
of 5,962 Naviance accounts were affected across six schools: Wheaton
High School, Montgomery Blair High School, Julius West Middle School,
Argyle Middle School, Parkland Middle School and A. Mario Loiederman
Middle School.

Naviance, an online college and career readiness program used by MCPS,
notified the school system in October about a security incident that
affected 1,344 accounts at Wheaton High School. Naviance reset the
password for the affected users following the breach.

The suspect performed a “brute force attack” on the high school’s
Naviance platform, attempting many username and password combinations,
and eventually gaining access to 1,343 student accounts and one
parent-guardian account.

However, a forensic analysis by police in November found the number of
affected accounts was nearly 6,000 and there had been additional
attacks involving other schools.

The type of information exposed included, name, date of birth, gender,
address, phone numbers, nickname, GPA and weighted GPA, email address,
school counselor, grade level, student ID, SAT and PSAT scores, ACT
score and IB score.

As part of the response to the security breach, the school system
forced a district-wide password reset for all Naviance student
accounts, MCPS said in a letter dated Nov. 25.

Montgomery County police and MCPS identified the suspect in the
security breach as a student, and police took possession of the
student’s laptop and cell phone for investigation.

They found in addition to an attack on Oct. 3, the student also
breached several Naviance platforms between Sept. 12 and Sept. 14.

Police do not believe the student shared any of the accessed
information with others.

The student is facing disciplinary actions, as well as possible
criminal charges.

The school system recommends the following precautionary steps for
parents to secure their children’s identity:

Request a credit freeze for your child. It will make it difficult for
someone to use your child’s information to open accounts.
Check to see if your child has a credit report. Credit bureaus can
send a copy of your child’s credit report, if your child has one.
Review information on child identity theft from the Federal Trade Commission.

If you have questions about the security breach, email Montgomery
County Public Schools at information_security at mcpsmd.net.

More information about the BreachExchange mailing list