06 Dec 2014

Pueblo County District 60 breach in Colorado

Pueblo City Schools District 60 officials required high school students to change their portal passwords Friday after a discovery of unauthorized availability to student grades, attendance records, missing assignments, class schedules, photos of the students, immunization records, grade-point averages, home addresses, telephone numbers, names of siblings and assessment scores all which is stored in their Infinite Campus online record systems.  Students were not given an explanation why the change was being made.  Middle and elementary school students’ user names and passwords were not changed, leaving their accounts still open to unauthorized access.

The discovery came from a brave anonymous tip by a student who voiced concern by revealing and demonstrating the ability to access other students’ accounts because the user names and passwords are almost identical.  Unfortunately, the technology director blamed the messenger rather than admitting password strength was highly questionable.

D60’s technology director Danny Combs claimed to not be aware of it.  After he was shown how access was gained, Combs said it was not a system issue but “a student behavioral” issue.  “This is not a software problem, a breech or a defect in our system,” Combs said. “This is a social engineering issue.”  Combs said students accessing other students’ information is in violation of the district’s Internet use policy. The district’s policy defines violations of security issues but does not indicate the disciplinary actions.  Combs said the current system for accessing student portals was chosen by a district committee when the program was rolled out three years ago.

He said a district committee decided to assign the user names and similar passwords three years ago to make it easier for students, particularly elementary students, to access the sites.

Pueblo County District 70 uses the PowerSchool portal system, which is similar to Infinite Campus.

However, Tim Yates, director of technology, said the district assigns user names and passwords to the students but the passwords are generated randomly by PowerSchool.

Read more at http://www.chieftain.com/news/education/3131669-120/students-student-district-access

]]>

One Comment

Comments are closed.