This is an interesting Oops....
High school changes every student’s password to ‘Ch@ngeme!’
Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”
“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. ...”
Ultimately they realized the error of their ways and used individualized passwords, but not until after parents/students had logged into other's accounts and potentially created a FERPA issue for the school (Google classroom shows the student their scores, which is privileged data).
Thinking about this from a cybersecurity professional perspective, I see a few failings that lead to this:
Even as an IT professional who occasionally makes bulk changes, I first discuss the proposed process with a few peers and then have someone watching over my shoulder if the change has "big impact".
@denbesten wrote:Before bulk emailing (to 3000 parents) the message should be vetted by multiple eyes for grammar, content, and "stupidity".
Love that line - should be in every communications SOP. I can excuse grammar to some degree, but stupid has become too prevalent in today's messaging.
The larger issue is that, at least in my experience in the US, schools are overwhelmed at the technology level. Even pre-Covid, they were being pulled into technology without ever developing the requisite resources, curriculum, and frameworks. A lot of this is the politicization of education. Some nincompoop runs for school board, legislator, governor etc. on a platform of making the schools more competitive etc.
This forces the schools to adopt technology when they aren't ready. Covid accelerated that greatly.
One thing that pops into my head here, though, is what was the nature of the incident. It sounds like they use Google Classroom, but the real issue may be some sort of middleware. Was this some sort of SQL injection test that went wrong - updated all records and not just the one they were testing against? Yes, the vendor may have erred, but they shouldn't have been able to make an error on this scale.