The Unexpected Curriculum – Case study: Information Security in Education
- Brute force
Some hackers used brute force to breach into a school’s computers and acted upon a batch of bogus transfers out of the school’s payroll account. The transfers were kept below $10,000 to avoid getting detected by anti-money laundering reports. While the hackers had close to 20 accomplices they hired as scammers. Over $100,000 was successfully removed from the school’s payroll account. Two days later an employee discovered the bogus payments. Unfortunately, organizations and companies have roughly two business days to spot and dispute unauthorized activity. This is because school organizations that bank online fall under the Uniform Commercial Code. Therefore the school was only able to get back less than $20,000.
- Shoulder surfing
An ex student shoulder surfed the password of an employee back when he was in school. After graduating, he used this information to get into the student information system. From there, he gained access to a different payroll data sets including birth dates, social security numbers, and bank account information of nearly 5000 current and former employees. This information was then used crimes such as identity theft & fraud cases such as using the stolen credit cards, creating checks, and altering bank account information. The perpetrator was caught and arrested after attempting to use a fake check at a local store. At a cost of $62,000 the district gave all the affected employees fraud prevention and resolution services. According to the district superintendent, the district suffered “damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud…. answering employee questions and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and work to change bank account and payroll information.”
- Key logger
A group of students installed a keystroke-tracking program (this could also fall under malware or student hacking) on computers at their high school to grab the user names and passwords of about 10% of the students, teachers, parents, and administrators that use the system. The students then used this password information to access the system to change grades for themselves and others. They did not seem to do anything else to the system while they had access.
Therefore, ways like these actually show how vulnerable we really are when dealing with sensitive data as well as how we might have underestimated the capabilities of how easily our passwords can be obtained by others.
- Data stealing malware
A school computer containing no confidential information was hooked to the network containing the personal information of over 15,000 students. This computer was breached with malware designed to steal sensitive data. Names, addresses, phone numbers, dates of birth and Social Security numbers were all part of the database that was potentially exposed to this malware. It is uncertain if any of this information was accessed, but the malware was found to have been on the breached computer for approximately five years.
A school network administrator was contacted concerning spam e-mail and other attacks emanating from the district system. When the administrator investigated the problem, it was discovered several computers had been infected with a botnet. Several of the district computer’s operating systems had been commandeered and were being used by the person controlling the botnet for illicit activities.
And these are only the 2 most common programs that can be installed into a computer resulting in dangerous consequences.
- USB Drive
A school employee was using a flash drive to transfer personal information of 6000 employees for job related purposes. The information included names, addresses, phone numbers, dates of birth and Social Security numbers. This flash drive went missing. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
- Stolen & Returned Mobile Storage Device
A mobile storage device was stolen and retrieved in a matter of three hours. The thief was apprehended. The device contained names and Social Security numbers for approximately 1600 individuals in a welfare reform program. A computer expert could not determine if the information on the data storage device had been copied off it. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
- Stolen Laptop
A district business office laptop was stolen. The laptop contained sensitive employee and student data. The laptop was password protected and contained data in a format that would not be easily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.
With all these confidential data in our hands being so handy and portable, we have to increase measures to ensure that our equipment do not end up in the wrong hands exposing ourselves to risk of data getting stolen.
Posting Information to the Web
- FTP installed
A member of a school association installed a file transfer program (FTP) onto a server without permission, inadvertently exposing the names, birth dates and Social Security numbers of thousands of associated members around the country. The program was installed and had the information exposed for almost a year before it was discovered.
- Wrong information uploaded
An assessment specialist who handled testing data accidentally uploaded personal information including names, Social Security numbers, birth dates and test scores of the district’s 17,000 students to a Web site for an unrelated school study.
- Grade “Fixing”
A group of high school students managed to infiltrate the school district’s records management system. Once in they changed grades for students who paid them to accomplish this task. The students said in addition to the money, they did it for kicks, to prove they could do it.
- Moving files
A high school student taking a networking class hacked into an administrator’s user file. Once in, he changed student’s passwords, remotely shut down computers, and created and copied folders in an assistant principal’s file. He just wanted to see what he could get away with and did not do any real damage despite his capability to do so.
- Unauthorized access
A third-grade student used the teacher’s password to gain access to the instructor’s portion of the blackboard online learning environment. Once in, he changed some student’s passwords and some of the homework assigned.
- Hacking the School as a Project
A 15-year-old student used three hacking programs to gain access to the district records management system in 200 milliseconds. Once in, he lowered his grades, since he could not raise them, he already had 4.0. He then wrote a three-page paper on how to improve the security of the system. Finally, he proceeded to help the district to improve the security of the network in general.