WHEATON – On Oct. 14, Wheaton High School seniors arrived at school to learn that a Montgomery County Public Schools (MCPS) student downloaded the personal data of over 1,300 of their own.
The information stored on a “college and career readiness” software service called Naviance included test scores, GPAs, personal information, phone numbers and email addresses, but no credit card numbers or Social Security numbers.
According to MCPS, the attack took place on the evening of Oct. 3, between the hours of 8:10 p.m. and 10:14 p.m. By the end of those two hours, Naviance detected the suspicious activity and blocked the IP address.
Naviance notified the school of the hack the next day for MCPS to begin an investigation. By then, the student had downloaded the information of 1,344 Naviance accounts, including one parent account. The student later shared the data with other students, according to school officials.
The student, who does not attend Wheaton High School, reportedly wrote their own code for a “sequential brute force attack,” a common password cracking method for hackers. The code enlists the hacker’s computer to guess encrypted passwords through trial and error. Depending on the strength of the password, this can up to take years of guesswork. Simpler passwords, however, will be decrypted almost instantaneously.
It is unclear if the student had attempted to access a schoolwide database or the hundreds of individual Naviance accounts, one by one.
On Oct. 7, MCPS and the Montgomery County Police Department (MCP) identified the student responsible and took possession of all their technological devices.
The student is expected to face disciplinary action by school administrators. While that person may not have been criminally charged for any crime, the state’s attorney reserves the right to do so. According to MCPS, the criminal investigation is ongoing.
The attack was not the school system’s first. In 2016, a break-in at the offices of WestEd, a nonprofit research organization that was reviewing MCPS’ special education procedures, saw the theft of the data of 340 students. The intruder stole five computers that included hard drives filled with parents’ and students’ personal information.
Taosif Irfan, a senior at Wheaton, first learned of the hack by email from the school’s college and career center on Oct. 14.
“I was shocked, but I wasn’t surprised,” Irfan said. He described two glitches with Naviance within the last two weeks, corresponding with the date of the attack. With those glitches, he had trouble signing into his account.
“I wasn’t worried, though,” Irfan said of later reading about the incident. “I knew the school and county would take care of the situation immediately, which they did.”
That same day, Naviance was updated to request that Wheaton students change their passwords the next time they attempted to log in.
Not every student, however, learned of the situation immediately. Lesly Flores only heard of the hack from a friend. Gabriel Guadalupe, another senior at Wheaton, heard about the incident on Oct. 16, when he went into the “College Tracks” center for help on college applications. There, while trying to log into his Naviance account, he was prompted to change his password.
“I’m not super bothered by it,” Guadalupe said. “I know there’s some sensitive info there, but it was another kid that carried out the attack, so I feel like it’s not super serious.”
“He was caught, so I’m assuming he (probably) didn’t do anything with the information,” he added. “I hope.”
MCPS released a statement after the incident, available on Wheaton High School’s website.
“MCPS is committed to safeguarding the privacy and security of our students, families and staff, and MCPS sincerely regrets that this incident has occurred.” the school system said. “MCPS takes this event very seriously, and we will continue to be forthcoming with any relevant information.”
MCPS also advised students to change their Naviance password, while parents were advised to request credit freezes on their children’s accounts, in case that anyone might try to use their child’s information to open an account in their name.