A Downingtown West High School freshman has been charged with three felonies and a misdemeanor for allegedly hacking into the school district's computer system and downloading files containing the names and Social Security numbers of thousands of district residents and students.
The 15-year-old student is being charged as a juvenile, so police are not releasing his name. The charges against him are felony computer trespass, felony unlawful duplication, felony computer theft, and misdemeanor theft by unlawful taking. He has been released to his parents' custody, police said.
The student allegedly accessed the files while using a school computer during a study period.
The action was discovered on May 9; residents were notified on May 15.
The 12,000-student Chester County school district, in a May 19 news release, said the student probably used "unauthorized software" that allowed him to hack into a district server. He "downloaded the information to a flash drive and copied the files to his home computer."
The breach was possible because the information was kept on a server that the student could access, district officials said.
Downingtown police said in a news release yesterday that more than 41,000 taxpayers' names and personal information, including Social Security numbers, were taken, along with the names and personal information of more than 15,000 students. District officials said the information was from 2005 records.
Police said they did not believe the information had been widely shared. "Our investigation at this point does not indicate that the personal information breached was sold or otherwise mass distributed," Downingtown Police Lt. Steven Plaugher said in the news release. One other student may have received some of the information; he is cooperating and has not been charged, Plaugher said.
This is the second time this school year that a student has broken into the district's computer system; another student was arrested in December.
A district statement said the actions of both students were "motivated by an irresponsible interest" in determining whether they could elude computer safeguards.
"The district does not believe that the purpose of either breach was identity theft or the use of any information acquired," the statement added.
On Monday, the district sent out 16,600 letters to households that include residents whose names were in the stolen files, giving them information about how to monitor their credit.
The district also promised to overhaul its computer security and to appoint a security auditor who will oversee all file privileges and review the system for vulnerabilities. And after the incident, it separated its administrative and student servers so that sensitive information is not on any server that students can access, officials said.
The district will hold a public meeting on computer security at 7:30 p.m. next Thursday in the Lionville Middle School. Computer security experts and law enforcement officers will be there.