Downingtown schools data breach: ‘Brute-force’ hack or 21st-century teen curiosity?

For a school district in one of the more bucolic corners of the region, it’s been a confusing few weeks, framed by a series of puzzle pieces that still might not tell the whole story:

A “brute-force” computer hacking. Leaked student records. A criminal investigation. References to past suicides. Suspensions. And a nationwide teen craze called Assassin.

The Downingtown Area School District has been confronting all of it since Oct. 11, when administrators discovered a potential attack on their college resource website.

Undisputed is that students gained teacher-level access to Naviance, a college preparation website containing personal information for thousands of students, including their household relationships, GPAs, and SAT scores.

How or why they did it is still unclear.

But the district got involved when administrators heard rumors of a top GPA list circulating among students in its three high schools.

“These actions are reprehensible and we are taking this attack very seriously,” Downingtown’s technology director, Gary Mattei, said in an Oct. 17 letter to families. “This is a crime against our district and, more importantly, a crime against you, our DASD student and parent community.”

In some ways, the incident at the Chester County district of 13,000 echoes pranks that have plagued high school hallways for generations. This one includes allegations that students were trying to gain an edge in the off-campus game Assassin, which involves students targeting one another with water guns.

But the drama reflects the complications surrounding computer-savvy students using technology — more adept than many of their elders, but more oblivious to the consequences.

District officials, noting that cyber hacking can be a federal crime, said this week they are still piecing together what happened.

“We’re not ready to share exactly what is known,” said spokesperson Jennifer Shealy. She said no students have been charged but police are still investigating. The local police in Uwchlan Township declined to comment Friday.

Played by high school students around the country, Assassin involves students shooting their targets with water guns, eliminating them from the contest. The victor can win money.

Downingtown officials say the students who got the Naviance data wanted to track down other players at their homes.

A different story has been circulating online.

“THE ARTICLE IS BULLS—,” a commenter named Oceanic_Muffin wrote on the social media site Reddit, referring to a news report that tied the incident to the water-gun game. The Muffin commenter and other Reddit users who claimed inside knowledge said the hackers wanted to use the data to send automated “happy birthday” messages to students and make a list of their top-performing peers.

“I know, very evil,” quipped Oceanic_Muffin in one post.

That commenter passed along a reporter’s phone number to a student who identified himself as one of the hackers — though, he said, there was “no big hack.” (The Inquirer agreed not to publicly identify the student, who expressed concern that the publicity could affect his college applications.)

He said it was another student who had accessed the system about a year ago, using a teacher’s password. Still, he said, he was suspended by Downingtown through Oct. 30 for his role in the breach this fall.

The Downingtown East senior said he was asked by the student who initially obtained the data to help program automated motivational birthday messages to students — intended to be supportive following a string of student and alumni suicides.

“It’s an odd way of doing it. But he had very good intentions,” the senior said.

What finally brought their online actions to the attention of district administrators was more timeworn high school behavior, he said.

Other students began "pressuring him to use all the information he had to get people’s ranks,” the senior said. He “caved in to peer pressure.”

As for how water guns got involved, the senior said that story came from a third student who was “brought in” on the hack. The senior said neither he nor the student who originally obtained the data played Assassin.

While admitting wrongdoing, the senior also faulted the district for inadequate security measures, this year and in the past. “This isn’t some elite hacking, it’s just first-year computer-science students,” he said.

Shealy, the district spokesperson, said she was “aware of a variety of rumors floating around." But she said none could be substantiated at this time.

Apart from the nationwide Pearson data breach earlier this year, Shealy said the last time the district experienced “a breach of personally identifiable information” was in 2008.

Outside Downingtown East this past week, students were aware of the incident but weren’t sure what to believe. One girl, a sophomore from the district’s STEM Academy, said she “heard some kids were a little scared about it."

Another student, East junior Briana Nica, said she’d heard conflicting stories: “Some people said it was for Assassin,” but others said it was about getting the GPAs.

“The people who did it are kind of dumb — no offense,” she said. “I don’t see the point. Personally, I would never do it.”

The senior who told The Inquirer he was involved predicted such incidents would likely keep happening.

“It’s just curiosity,” he said.