Late last month, for approximately 28 hours, all OPRF High School students had the same password for their school accounts in a cybersecurity mistake that was quickly corrected. The problem began on June 23 when OPRF’s data manager, Level Data, a Kalamazoo, Michigan company that specializes in managing data for school districts, was conducting a cybersecurity audit on the OPRF system.
“They were doing, basically, just routine updating and maintenance on our accounts and passwords and in doing so they inadvertently wiped out all of our students’ passwords. They also wiped any ability for us to go back and retrieve them,” Superintendent Greg Johnson told Wednesday Journal.
The result was that, because of what the school described as “an unexpected vendor error,” students could not get into their Google accounts, which they use for all manner of schoolwork and activities. Their Google accounts also link to their grades and other personal information. Every OPRF student has a school-issued Chromebook.
As a temporary fix all OPRF students were given the same password, Ch@ngeme!, so they could access their accounts. Students and their families were notified of the new password in an email sent out during the afternoon of June 22. The email also strongly suggested that, after signing into their accounts using the universal password, they update their password to their own unique password “as soon as possible.”
But students, parents and Johnson quickly realized that for the time period when every student had the same Ch@ngeme! password, any student could sign in to another student’s account and access the personal information of others, including emails, papers, class work and anything saved to the Google Drive. Johnson said access to student grades, which are kept on Skyward, were never compromised.
Every student having the same password was “something I became aware of late afternoon on June 22,” Johnson said. “It was an accident. It certainly isn’t anything that we want to have happen again, and it certainly is something that is a problem. Anytime anybody can have access to potentially anybody else’s account, it’s a real problem which is why we needed to find that second solution as quickly as possible.”
As soon as he became aware of the issue, Johnson asked the school’s Technology Department and Level Data to come up with a different way to allow students to access their accounts.
At a little after 8 p.m. on June 23, about 28 hours after the initial email was sent, OPRF sent another email to families giving each student a unique password based on their student ID number and their birthdate, along with instructions as to how to create another unique password.
Johnson said school officials have found no evidence of any unauthorized access to student accounts during the time when all students had the same password.
“We were able to monitor our systems and see if we had any unauthorized access and we’ve had no reports of that so far at all and we have not seen any anomalous behavior with our students accounts and our monitoring of that,” Johnson said.
One OPRF student told the Wednesday Journal that she had trouble creating a new password because she had changed her password so many times, a problem that the student said was annoying.
Johnson encouraged any student having problems with creating a password or accessing their account to call or visit the student helpdesk.
“If somebody calls our helpdesk, we’ll just help them out and get everything squared away,” Johnson said.
Johnson was relieved that the problem was solved quickly.
“It had the potential to disrupt summer school,” Johnson said. “We were able to get through it fairly quickly.”