DEVELOPING: MCPS data breach exposed personal information of Blair students

On Nov. 25, Montgomery County Public Schools (MCPS) notified community members of a series of cybersecurity attacks against Naviance, the county's online college and career readiness platform. Occurring from Sept. 12 to 14, the attacks compromised the personal information of nearly 6,000 students across six schools including Blair. 

The report followed an earlier MCPS statement on Oct. 4 noting an attack from Oct. 3 against 1,343 students from Wheaton High School. Wheaton, Blair, Julius West Middle School, Argyle Middle School, Parkland Middle School and A. Mario Loiederman Middle School were targeted by the September breach.

The attack exposed both personal and academic information, including the names, birth dates, home addresses, email addresses, phone numbers, standardized test scores and GPAs of the students' whose accounts were accessed.

Naviance 2

Photo: Personal and academic information exposed in the Sep. 12 to 14 and Oct. 3 data breaches.

Personal and academic information exposed in the Sep. 12 to 14 and Oct. 3 data breaches.

MCPS Information Security and Data Privacy Engineer Tom Chapman explains that families shouldn't worry about the information exposed. Specifically, the student did not gain access to social security numbers or data that might be exploited financial harm. "The personal information accessed, such as home address and phone number, can usually be found in the yearbook and PTA directory either way," Chapman says.

MCPS framed the breach as a sequential brute force attack, but junior Kevin Higgs explains that it's much simpler than it sounds. At Blair, each account's default password is identical to the username, both of which are assigned as the student's ID number. Higgs postulates that the attacker merely iterated over potential ID numbers to gain access to the accounts. "Sequential brute force attack is a weird way to describe it," he says. "I would just call it 'knowing the password.'"

The county police department (MCPD) believes the student has not yet shared any of the downloaded student information. The police are holding the attacker's devices for examination, but they have not found evidence of additional attacks or malign intention. In the meantime, they face disciplinary action as well as possible criminal charges.

Chapman believes the attacker did not have a hostile motive. "Sometimes, people do things just to do them," he says. "You think you know how you'd potentially do it, and sometimes you follow through."

MCPS forced a district-wide password reset for all Naviance accounts in response to the data breach. During counselor visits to junior classes, many students were unable to log into their account for the majority of the class period. For seniors such as Keawe Johnson, their transcripts sent through Naviance never successfully made it to their designated colleges.

Amidst the confusion, Blair administration has avoided informing students about the stolen information. Counselors dutifully reset student accounts, but did not explain the lapse in Naviance's function. Blair Principal Renay Johnson declined to comment on the issue.

In response to the incident, Naviance also updated its password requirement policies to prevent future breaches. Requirements include using 10 characters, an uppercase character and a number, according to Chapman.

Chapman hopes that this breach will inform MCPS and improve students' data security. They aim to ensure that future platforms working with MCPS will have higher standards of protecting user data. "In recent years, MCPS has really been working toward protecting student information as a top priority," Chapman says. "While this incident doesn't really reflect that, I think it's an example of what to avoid in the future."

For now, however, Higgs notes that MCPS security vulnerabilities are a common sighting. He reported several flaws in MyMCPS Portal in March that still remain unresolved. "[By manipulating the URL], I can get all of my grades from all of my classes with just one section ID," Higgs says. "This could theoretically be expanded to get everyone's grades, which is an issue."

MCPS Director of Technology Peter Cevenini will attend the PTSA meeting on Dec. 17 to discuss the Naviance data breach.