Home | News Alerts | Book Thrown at 15-year-old for School Data Breach

Book Thrown at 15-year-old for School Data Breach

10th-grader allegedly accessed bus driver personnel files on school computer

October 31, 2008

A 15-year-old student faces criminal charges after allegedly accessing a New York school district’s personnel files, The Daily Gazette reported. The male student at Shenendehowa High School, unidentified by police due to his age, was charged with second-degree unlawful possession of personal identification information and second-degree identity theft, The Saratogian reported.

Is this the case of a well-meaning student being made a scapegoat for a school’s lackluster data security? Or are the punitive measures justifiable—a lesson to would-be hackers with malicious intent? While initial media reports and the School District’s own statement did little to answer this question, a story in the Times Union suggests this was not a “white hat” hacker looking out for the school’s best interests.

Consider this…

The Shenendehowa Central School District found out about the data breach only after a student sent an anonymous e-mail to the high school’s principal, district spokeswoman Kelly DeFeciani told The Daily Gazette. The letter reportedly beckoned the principal to “look what I have,” The Daily Gazette reported. the Times Union added that it was “threatening in nature,” quoting a state police investigator.

Within two hours of the breach, two 15-year-old boys were being questioned. The other boy allegedly involved has not been charged, according to The Daily Gazette.

The accused student was reportedly working on a school computer in Schenectady when he is thought to have used his student password to access internal Department of Motor Vehicle records kept on bus drivers, the district stated. According to the Times Union, the student who has been charged allegedly uploaded the data onto his personal web site. He has also been disciplined in the past for violations of the school’s “acceptable use policy” for district technology.

The information included Social Security numbers, according to The Daily Gazette. In a meeting after the incident, bus drivers were informed of the breach and told of precautionary credit protection measures they could take, DeFeciani said.

The district blamed “a configuration error,” saying the file “was not completely secured…after being moved to a new server.” It stated: “The district takes great measures to secure our data and this breach is extremely troublesome.” What’s also troublesome is the fact that Social Security numbers were left on an unsecured part of the district’s network.