In what may be one of the more comprehensive disclosures of a school cybersecurity incident, the Bloomfield Hills Schools today announced students hacked into the student information system “MISTAR” to make changes to grades, attendance, and lunch balances.
Among the steps they took to publicly disclose the incident, the school district:
- Set a pop-up message for all visitors to their website;
- Published an extensive Q&A about the incident on the district website at: https://www.bloomfield.org/departments/communications/q-a;
- Set up a dedicated call center to respond to questions from community members;
- Provided suggestions to parents on digital citizenship conversations that they should be having with their children in the wake of the incident; and
- Shared a recorded video message from Superintendent Robert Glass.
Immediate coverage of the incident and disclosure has well-coordinated, resulting in the near simultaneous publication of several stories, including via:
- The Detroit News (“Bloomfield students hacked accounts, officials say“)
- WXYZ Detroit (“Students hack into Bloomfield Hills school information system, manipulate grades“)
- Fox 2 Detroit (“Bloomfield Hills students hacking school system to change grades, get lunch refunds“)
- Detroit Free Press (“Student hackers change grades, lunch balances in Bloomfield Hills“)
- WWJ 950 News Radio (“Bloomfield Hills Students Hack School Computer System, Change Grades“)
This incident is yet another in a recent string of events involving the hacking of school IT systems by students, including most recently in New Mexico, California, and Utah. While I understand why schools would want to discourage copy cat behavior and hold those responsible to account, I fear that existing policy frameworks are not well-suited to treating teens fairly in incidents like these. These are minors, we encourage their interest in coding and STEM education, we romanticize hacking culture, watch as high-tech companies offer hackers well-paying jobs, and we build systems that teens have repeatedly demonstrated are less than secure.
Charging these students under federal law, especially one that has been criticized for being overly broad and draconian in its penalties, seems – well – harsh. I’ve wondered previously if we should be sending students who hack their schools to jail. I continue to wonder if there might be another, more humane path we could take. (As an aside, this issue strikes me as having parallels to the issue of teen sexting, another instance where our school policy frameworks have struggled to interface with the legal system and keep pace with broader changes in society.)
My hats off to Bloomfield Hills Schools for the comprehensiveness of their initial response to the cyber incident they’ve experienced. It is no longer a question of whether a district will need to respond to a cyber incident, but how. Their example should serve as a model for others.