Student hacker accesses info in Downingtown
41,000 residents' Social Security numbers, birthdays and addresses were downloaded, copied.
Andrea Mento is upset.
The 59-year-old lifelong Downingtown resident received one of about 16,600 letters the Downingtown Area School District sent May 19, saying that a freshman at Downingtown West High School had downloaded files that included their Social Security numbers, birthdays, and addresses.
Now Mento, like many of the roughly 41,000 people whose info was copied, is keeping tabs on her credit records in case of identity theft, while wondering how this happened.
The district, which has admitted that an employee's mistake made the information available to student access, is scrambling to make upgrades to its network.
"I think they should have had better security, but I definitely think the student was at fault," said Mento, a retiree who taught for 32 years at Fugett Middle School in the West Chester school district.
"I really think he deserves some jail time," Mento said of the West freshman. "I think they need to set an example that this was wrong, and this kid is old enough to know that he was doing something against the law. . .. Kids seem to think that hacking is cool. It's the same as robbing a bank."
The 15-year-old who downloaded the information was arrested May 21 and charged as a minor with felony computer trespass, felony unlawful duplication, felony computer theft, and misdemeanor theft by unlawful taking.
Mento will likely not get her wish for jail time. Cynthia Vickers Wilson, a Chester County Deputy district attorney, said that the student's crimes do not merit charging him as an adult, and he will not face incarceration.
Preliminary investigations by the Downingtown police indicate that the student did not send the data to anyone else, save one other West student, who has cooperated with the police and will not be charged.
This case is less that of a precocious hacker mischievously evading district security, and more a case of hman error putting a lot of important information where it wasn't supposed to be.
The district gathers address and household information so it knows where to send its newsletters. Up until 2005, it used Social Security numbers as indicators for each resident. That practice has since stopped, but information from 2005 was still on the district's network.
Someone made a copy of the files that were accidentally placed on an unsecured part of the network, said district spokeswoman Pat McGlone.
She said these were the files that the student discovered one day. He did not need to crack any passwords, evade any firewalls, or blow down any doors, so to speak. He just simply needed to be curious and bored.
Downingtown Police Lt. Steven Plaugher said that if the student had simply viewed the files and left them alone, no crime would have been committed. When the student decided to copy the files to a flash drive and take it home, then he broke the law.
The student also copied a district employee directory, and W-2 files from one Downingtown school, which McGlone said they would not identify. He bragged to other students about his discovery; word reached school officials on May 9.
"I think they had a fairly significant mistake on their end. I don't know how they allowed that type of data to be accessed by a student," said Steve Mancini, manager of technology services for Kennett Consolidated School District. Mancini said, to the best of his knowledge, Kennett does not keep Social Security numbers on its taxpayers on its network.
June Garwin, director of information technology for the West Chester Area School District, said that West Chester doesn't keep Social Security numbers, and that district information is segregated from student access.
McGlone would not say last week if the district had determined who was responsible for mistakenly placing the census files on the unsecured network, but did say that if and when they did assign blame, that would be a personnel matter and remain confidential. So will whatever district punishment is handed out to the student.
School officials held an open meeting on May 29, and a section of the district Web site - dasd-adm.org - gives a detailed explanation of what happened along with Web sites and phone numbers for credit agencies. The district hired two firms to make improvements to its network, and has allocated one district employee to look through every file in the network, to make sure that no other accidental copies exist.
Faith McKown, a mother of three Downingtown East High students, said she wasn't happy when she heard about the incident, but wasn't surprised. Kids are more tech-savvy than adults, the Glenmoore resident said, and the district's technology safeguards were behind the times.
But there are no easy ways to ward off identity theft, she said
"Every time you go to a doctor's office, a bank, as much as I would love it to be secure I realize that today, any low-level person can have access. I don't know what you could do to make it better."
For More Information
To learn more, visit dasd-adm.org and click on "cyber security."
If you are a resident of the Downingtown Area School District and would like to know if your information was included in the files the student downloaded, write a letter to Pat McGlone, Downingtown Area School District, 126 Wallace Ave., Downingtown 19335.
Downingtown police recommend that residents obtain a copy of the police report for reference in case of identity theft. The school district will pay for all copies. They can be picked up at the police office, 10 W. Lancaster Ave., in Downingtown, or downloaded from the district Web site above.