Nearly 6,000 accounts containing the personal information of students in Montgomery County, Maryland, were exposed due to data breaches that went as far back as September.
The school system and Montgomery County police determined that a total of 5,962 Naviance accounts were affected across six schools: Wheaton High School, Montgomery Blair High School, Julius West Middle School, Argyle Middle School, Parkland Middle School and A. Mario Loiederman Middle School.
Naviance, an online college and career readiness program used by MCPS, notified the school system in October about a security incident that affected 1,344 accounts at Wheaton High School. Naviance reset the password for the affected users following the breach.
The suspect performed a “brute force attack” on the high school’s Naviance platform, attempting many username and password combinations, and eventually gaining access to 1,343 student accounts and one parent-guardian account.
However, a forensic analysis by police in November found the number of affected accounts was nearly 6,000 and there had been additional attacks involving other schools.
The type of information exposed included, name, date of birth, gender, address, phone numbers, nickname, GPA and weighted GPA, email address, school counselor, grade level, student ID, SAT and PSAT scores, ACT score and IB score.
As part of the response to the security breach, the school system forced a district-wide password reset for all Naviance student accounts, MCPS said in a letter dated Nov. 25.
Montgomery County police and MCPS identified the suspect in the security breach as a student, and police took possession of the student’s laptop and cell phone for investigation.
They found in addition to an attack on Oct. 3, the student also breached several Naviance platforms between Sept. 12 and Sept. 14.
Police do not believe the student shared any of the accessed information with others.
The student is facing disciplinary actions, as well as possible criminal charges.
The school system recommends the following precautionary steps for parents to secure their children’s identity:
- Request a credit freeze for your child. It will make it difficult for someone to use your child’s information to open accounts.
- Check to see if your child has a credit report. Credit bureaus can send a copy of your child’s credit report, if your child has one.
- Review information on child identity theft from the Federal Trade Commission.
If you have questions about the security breach, email Montgomery County Public Schools at firstname.lastname@example.org.