Two Dallas ISD students were allegedly responsible for the district’s cyber security breach last year, according to information obtained by WFAA News. The students have not been identified publicly, and superintendent Michael Hinojosa has yet to acknowledge that students were involved in the cyber attack.
Last August, school district officials received an anonymous email notifying them that the district’s online security system had been hacked and confidential records had been downloaded.
The information accessed spanned twenty years of data from alumni, school employees, students, and parents of DISD. The email included encrypted links as evidence of the breach.
The email concluded with this confession: “We are not professionals, nor do we have any experience in offensive cybersecurity. We are just two students who were curious… If you want to hire me, I have no resume but would be very interested, thanks.”
When the school district officials announced the breach last September, no indication was given that students may have been involved. Michael Hinojosa, Dallas ISD Superintendent, has yet to acknowledge that students were allegedly the culprits.
The situation caused his Chief Information Security Officer, Dr. Rajin Koonjbearry, to resign from his position. Koonjbearry’s resignation letter from last October stated, “I am afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility. I am now convinced that Dallas ISD IT cannot keep our data safe.”
As reported by WFAA News, Hinojosa responded to Koonjbearry’s remarks, stating, “While he has his right to his opinion, I’ve learned in this business, in 27 years as a superintendent, there’s at least two sides to every story, sometimes three or four. He makes some very legitimate points that we need to look into.”
Hinojosa pointed out that there was no evidence that any confidential information had been leaked or misused.
North Texas cybersecurity expert, Phillip Wylie, commented, “They got lucky because these kids didn’t want to do anything malicious. And they shared that with them. Would Dallas ISD have really known that they’d been breached if the students hadn’t sent the email?”
A similar incident happened several years ago when a 12-year-old student in Michigan, Jeremy Currier, managed to access student passwords, school accounts, camera systems, security door locks, and other information. Eventually, he was caught and expelled from school, but he later stated that he had no ill intentions and was only curious about what he could accomplish.
According to Doug Levin, a security expert who studies cybersecurity incidents at schools throughout the U.S., curiosity is often the primary motive for such incidents. “By and large, students are curious, and for the most part, they are not looking to significantly cause harm or mayhem in a school district by accessing systems inappropriately,” he said.
The FBI decided not to charge the two students in the DISD case. Hinojosa has stated that the school district has increased its computer network security since the incident. On January 13, Hinojosa announced that he will step down as the Dallas ISD Superintendent by the end of 2022.
