Student hacker destroys eMail and ADA records at online school

The recent break-in and vandalism of an online charter school’s primary eMail program raise questions about the safety and security of learning delivered via the internet.

A 15-year-old student enrolled in California’s virtual Choice 2000 Charter High School broke into the school’s eMail and administrative software system Sept. 29 and erased two days’ worth of eMail correspondence and student attendance records.

The student "got into our system and basically told our auditing and eMail system to destroy itself," said Dan King, director of Choice 2000 online high school. "It’s important to note that he did not get into our online classes."

Choice 2000’s classes are held in a teleconference format similar to an internet chat room, where more than 40 students can attend at one time. In this format, teachers may present other information, hold discussions, or answer student questions. In addition to teleconferencing, teachers and students communicate regularly through eMail.

The online charter school uses World Group software for eMail communication and attendance auditing. "We use an entirely different software package for the administration of our classes, called Interwise. That system was not harmed," King said.

The records tampering occurred shortly after the student hacker, a minor, had been suspended from using World Group as punishment for another online infraction.

"He had gotten into a couple of his buddies’ [home] computers and tampered with them, so I suspended him from using World Group, which means no personal eMail for a couple of days. He was not barred from classes; he just had to send the eMails directly to me. But I guess that made him angry," King said.

The school’s director of technology was able to trace the intrusion to the student, and the administration immediately reported the incident to the authorities, King said.

Investigators believe the student used an illegal account to get online and delete the information.

"We believe he basically gave another student’s account the powers of a system operator and got into the school using that account. Right now, we estimate $18,000 in damages for time spent and equipment replaced," said Deputy David Cobb, lead investigator on the case with the Riverside Sheriff’s Department.

King places the estimate somewhat higher.

"We estimate this has cost about $20,000 so far. That includes the loss of the average daily attendance records for those two days. It has taken a major effort to get back on track," he said.

California uses average daily attendance (ADA) to determine the amount of funding a school receives. "I don’t think we will actually lose those two days, since this is a special case. The state will probably just look at the ADA for the days before and the days afterwards and estimate from there, so that loss will be recouped," King said.

According to Cobb at deadline time, "[The student has] not been charged yet, but he will most likely be charged with violating California Penal Code #502, which has to do with computer intrusions and causing damage therein."

As a result of the hacking, Choice 2000 has had to re-enroll all students and account for two days of records that were lost because they had not been backed up. "We are still having problems now with some kids not being able to log into class," King said.

Some students had to redo homework that was lost, and teachers had to regrade tests lost when the eMail server was disabled.

After his suspension, "the hacker was subsequently reinstated, but he opted out of Choice 2000 and enrolled himself in a mainstream high school," said Cobb.

The ease with which one student caused major damage may prompt educators to ask whether the delivery of online learning is just too vulnerable.

Cobb believes online high schools may be more vulnerable to attack than other high schools because "the common profile of a hacker is a juvenile or young adult," and online high schools tend to be attended by computer-savvy students in that age group.

Not necessarily, counters King.

"We are not more vulnerable than other schools in terms of security, because we have password protection, firewalls . . . the whole thing. But, because we depend entirely on eMail and the internet to deliver learning, it does hit us much harder when the system goes down. We are certainly more dependent on electronic communications than an average school," he said. "Instructionally, [the incident] did not harm anyone. Actually, it made us smarter. We know now that we have to be more careful."

What precautions could have been taken to prevent the intrusion from happening? "It’s tough to say. Unfortunately, in today’s world computer security can be a case of trial and error for us all, not just for schools. We all need to learn from our mistakes," Cobb said.

King said the school is considering changing its whole eMail system.

"If we gave everyone a Microsoft Outlook eMail address, they could access eMail directly through our web page. That would get rid of one software program and help us build security around our internal communications," he said.

According to King, World Group Manager software is so widely used that it is vulnerable to attack.

"It may make us too vulnerable to have a closed system," he said. "I also think we were overly depending on [the World Group software] by doing both our eMail and attendance audit on it. We need to divorce the eMail from the audit. It’s the old adage ‘diversify,’ meaning don’t depend on one thing."

Choice 2000 is in its fifth year as an accredited high school in Perris Union High School District. The school is tuition-free to students who are residents of California’s Riverside, San Bernardino, San Diego, Imperial, or Orange counties.


Choice 2000 Charter School

Perris Union High School District

Want to share a great resource? Let us know at