Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.
The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.
The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.
“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”
The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.
While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”
“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.
In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.
“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."
The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.