Students in the Montgomery County Public School System (Maryland) are being forced to reset their passwords for the college prep service Naviance, which suffered a brute-force attack on October 3rd. A brute-force attack occurs when an attacker tries to log in to user accounts using a large list of potential passwords, in the hope of guessing some passwords correctly. Brute-force attacks are effective because many people use weak or guessable passwords and some websites allow an unlimited number of failed attempts to log in. The attack occurred over two hours and affected around 1,350 students, with a majority attending Wheaton High School. Information that was accessed included name, date of birth, highest ACT score, ethnicity, grade level, highest IB score, gender, student ID number, student address, GPA, weighted GPA, home phone number, email address, highest SAT score, mobile phone number, assigned counselor, highest PSAT score, and nickname. The district took quick action and was able to neutralize the threat. The Washington Post obtained a statement from Derek Turner, a spokesman for Montgomery County Schools who expressed that a student who did not attend Wheaton High School wrote a program that allowed for a mass amount of login attempts. Mr. Turner declined to identify the student that they believe is responsible because the student is a minor, but he did add that the responsible party may face criminal charges as well as disciplinary action from the school district. Many questions have been raised as to why no alarms were triggered on Naviance’s side and they have not given a response at this time.
Dealing with a third-party vendor can be a risk since companies have no control over another company’s security measures. It is important for risk management departments to vet third-party vendors and ask critical questions about how they will protect the data and information they are trusting them with. Another key aspect of this situation is the presence of an internal threat. Even though in this case it was a student, it shows that anyone at any time can be a risk to the company or organization. In the case of Naviance, having monitoring in place that could detect brute-force attacks would have decreased the chances of the threat actor gaining access. Companies can implement lockout policies as well, which would stop the attempted login for some time after so many failed login attempts. Any of these options would have prevented this attack or at least made it more difficult for the information to be breached.