Students hack Innovation Academy
Innovation Academy students access sensitive FCS information
Kevin Xiang, Editor-in-Chief & Nethra Pai, Staff Writer
On Jan. 26, 2024, Innovation Academy students lost access to their accounts because one or multiple students hacked into Fulton County Schools (FCS) data servers. By accessing this critical infrastructure, they likely were privy to sensitive student and teacher information.
“There’s a lot of rumors, but what we’re supposed to know is that a student, or a group of students, chose to hack into FCS and as a result, we got locked out of our devices for all of Friday and the weekend,” Simran Ahuja, a junior at Innovation Academy, said.
At Innovation Academy, Fulton County deactivated all student accounts, and students can no longer bring personal devices to school or connect them to FCS Wi-Fi. Coincidentally, that day was also the Information Technology (IT) pathway flex Friday, a day when Innovation Academy was organizing a hackathon, an intense and collaborative coding competition.
This lockdown meant that Innovation Academy students could not complete their work. Classrooms that use outside resources and devices are also currently struggling as FCS is only allowing access to certain devices.
“Obviously, that flex Friday [and] that Saturday and Sunday we could not work. Monday, even, there were parts of the day where we could not work because people were still getting their devices back,” Ahuja said. “We have an Apple computer in one of our rooms, so we can't use that device right now because we can only connect FCS Microsoft devices.”
The reason for the lockdown was a breach in one of Fulton County’s information systems. Such a breach poses serious consequences. Those servers store personal information such as usernames, passwords, addresses, and even social security numbers.
“As teenagers, a lot of our high school students have a lot of information out there in different other accounts already,” Media Specialist Darryl Paul said. “But third and fourth [graders], kindergarteners don't have accounts, but all that information is on tap here. So this is one of those few places that information can be accessed. And that's one of the biggest risks.”
FCS responded quickly to this incident, by implementing stricter password requirements on all students and especially staff. The IT department forced all accounts to change their corresponding passwords, even legacy ones that had grandfathered passwords.
“Obviously, we've attempted mass password requirements in the past, and they were not terribly successful,” Paul said. “This time, if you reset it to your birthday, they locked you out a week later because they ran another scan to check your passwords for meeting the requirements.”
Other potential solutions include FCS providing higher quality devices to more effectively monitor student activity and bar software such as Virtual Private Networks (VPNs), but this is likely a longer-term solution that is currently in the works.
“The challenge is that students bring their own devices and that is something I think Fulton County really has to look at in terms of providing a great device for every student saying, ‘this is what you're going to use,’” Martin Neuhaus, principal of Northview High School, said.
For the students involved, Fulton County will likely take legal or disciplinary action if it has not already. Depending on the details of the breach, it could range from a suspension to a tribunal expulsion, as well as state and federal charges.
“Computer crime gets really serious really fast, especially when it's sensitive information: hospitals, schools, [and] government,” Paul said.
FCS has traditionally been attentive to security. FCS implements many of the basic technological safeguards, such as encryption, password protection, and two-factor authentication. In addition, the use of Microsoft products in the district stems from the fact that Google refused to meet FCS’ information security requirements.
“Once or twice, somebody thought they could just brute force the server, and, turns out, they could not because we pay for good internet security here,” Paul said.
Yet, many involved with the FCS IT department were not surprised by the breach. In the past, Paul has dealt with Northview students who have attempted similar breaches. Many of the students who would have been participating in that activity now choose to attend Innovation Academy.
“It was less proactive than it was more of like, ‘when it does happen, we'll deal with it,’” senior Harry Chen, who has worked in the FCS IT department, said. “And some other people definitely thought ‘maybe the kids aren't smart enough to do this in the first place.’ It's a little bit of a wake-up call for them.”
Chen points out a possible avenue that the hacker could have used to access the servers that FCS has not taken a hard line to protect against. With strong digital security, the weakest link is the humans that use it.
“I suspect that it's comparatively easier to hack into an education system, [or] IT infrastructure when you do kind of like human engineering, which is when you go through the people when you go through people [like] teachers [or] IT staff at your school,” Chen said. “Sometimes you can develop a very personal or very close relationship with these adults in your school.”
By doing this, a student can gain access to a password corresponding to an account with higher privileges. It could be as simple as a teacher giving their password to a student to help with a task.
“A big thing a lot of companies are doing to prevent that is a lot more training: this kind of specific prevention training targeted at not allowing people to manipulate you into giving them sensitive information,” Chen said. “[At FCS, I] do not see any training specifically targeting cybersecurity or stuff like that, but I wouldn't be very surprised if that starts coming into being after this.”
While Fulton County adds protective measures, only time will tell how effective they will be. Currently, it can only do its best to protect private information.
“I think Fulton County responded appropriately. You can't guarantee that somebody's not going to access it, but [we can] put in as many safeguards as possible,” Neuhaus said.