cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denbesten
Community Champion

Ch@ngeme!

This is an interesting Oops.... 

 

High school changes every student’s password to ‘Ch@ngeme!’

Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”

“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. ...”


Ultimately they realized the error of their ways and used individualized passwords, but not until after parents/students had logged into other's accounts and potentially created a  FERPA issue for the school (Google classroom shows the student their scores, which is privileged data).

 

Thinking about this from a cybersecurity professional perspective, I see a few failings that lead to this:

 

  1. Auditors should have read-only access. Period.
  2. When a vendor f's up, the contract should hold them liable for repair, including potentially bringing in remediation experts on their dime.
  3. Incident response begins with understanding, not action. And, it should beging by calling in experts.  The classic example is yanking a knife from a stab wound and causing a bleed-out.  Laymen call 9-1-1.  Doctors take an x-ray first to see what was hit.
  4. Before bulk emailing (to 3000 parents) the message should be vetted by multiple eyes for grammar, content, and "stupidity".
  5. Just like nursing and teaching, IT is a professional activity that should be handled by professional staff trained in the discipline.  The costs of error are too great for it to be a side-gig for a "tech-savy" employee.
  6. Security awareness training should start with "why" and focus on avoiding password re-use at least as much as hard-to-guess.

Even as an IT professional who occasionally makes bulk changes, I first discuss the proposed process with a few peers and then have someone watching over my shoulder if the change has "big impact".

1 Reply
JoePete
Advocate I


@denbesten wrote:

Before bulk emailing (to 3000 parents) the message should be vetted by multiple eyes for grammar, content, and "stupidity".


Love that line - should be in every communications SOP. I can excuse grammar to some degree, but stupid has become too prevalent in today's messaging.

 

The larger issue is that, at least in my experience in the US, schools are overwhelmed at the technology level.  Even pre-Covid, they were being pulled into technology without ever developing the requisite resources, curriculum, and frameworks.  A lot of this is the politicization of education. Some nincompoop runs for school board, legislator, governor etc. on a platform of making the schools more competitive etc. 

 

This forces the schools to adopt technology when they aren't ready. Covid accelerated that greatly. 

 

One thing that pops into my head here, though, is what was the nature of the incident. It sounds like they use Google Classroom, but the real issue may be some sort of middleware. Was this some sort of SQL injection test that went wrong - updated all records and not just the one they were testing against? Yes, the vendor may have erred, but they shouldn't have been able to make an error on this scale.