Jeremy Currier, with parents Janet and Ted Currier, was one of two  students expelled from Rochester Community Schools for gaining improper administrative access to the district’s IT system.

Jeremy Currier, with parents Janet and Ted Currier, was one of two students expelled from Rochester Community Schools for gaining improper administrative access to the district’s IT system.

Photo by Patricia O’Blenes


RCS officials push password changes following data breach

By: Mary Beth Almond | Rochester Post | Published October 16, 2018

ROCHESTER HILLS — The Rochester Community Schools district is recommending that students change their passwords following an online data breach.

Superintendent Robert Shaner sent an email to parents alerting them of the situation Oct. 1.

“We are living in unprecedented times, and school districts also remain a target for hacking,” he said in the email.

Shaner said computer and technology use is “a privilege” in the district’s schools, and “a small number of students abused that privilege” late last year.

School disciplinary sanctions were imposed on the students, according to Shaner, who said police currently are investigating. The district, according to Shaner, is now “taking the necessary steps to confirm that none of our digital information has been altered, destroyed or transferred.”

“At this time, we are confident that our network and data are secure,” he said in the email. “However, we strongly encourage students to change their passwords on a regular basis and keep them safe. Staff members are required to change their passwords every 90 days and ensure their security.”

Janet Currier, of Rochester Hills, said the district knew about the data breach in May when officials first suspended her son Jeremy, 15, and another student for gaining improper administrative access to the district’s IT system.

Jeremy Currier and the other student — who did not want to be identified — were later expelled in June.

Janet and Jeremy said the district’s cybersecurity practices are weak, and they wanted to let the school community know.

“The system could have forced a mandated password change, which would have been the appropriate action. They didn’t do that,” Janet said.

“It’s been six months since they caught us, and they just enabled the option to change passwords, and it’s not even required. It should be required,” Jeremy said.

It all started when Jeremy was 12 and found a yellow Post-It note containing a username and password stuck to a public student computer in his middle school’s media center.

“At the time, I didn’t really think much about it because it was just a normal account that anyone could use, because it was a public account. I was looking around; it wasn’t like I was going in there saying, ‘I’m gonna hack the school,’ or anything like that. I just opened up the file explorer, and I found the Excel document right there for all the student usernames and logins for the entire school. That’s how it started,” Jeremy said.

While looking around, Jeremy said, he also discovered a different program on the public computer for a group manager, which had the authority to change the usernames and passwords of anyone in the school district.

“I was just nosing around. It wasn’t anything special. I mean, it was a public account, so I assumed nothing would be on there,” he said.

The teens, he said, gained access to bypassing filters by using the username and password of a former teacher whose account remained open in the district network.

Jeremy said he “didn’t do much” with the information and access until the end of eighth grade — when he learned that he could use the username and password from the sticky note to log in to the district’s IT system at home through the MyRCS web portal.

“Anything that was stored digitally in the district was at risk at that point,” Jeremy said. “As soon as anyone has access to something like that, that has that much power, anything below it is automatically compromised,” he said.

Janet said her son and the other student had access to the district network for three years — adding that her son did not change grades, disclose personal information or install software on the district’s computer system — before the district found out.

“Access just means he was able to get in,” she said. “He could have done a lot of stuff, but … he didn’t do anything like that. He didn’t change grades; he didn’t delete files; he didn’t share information. There is a lot that he could have done and didn’t do. It was so wide open to young kids that if they could easily grab that administrative password and have that much control, that’s really scary to me.”

Janet said the teens, who she said are “good kids,” didn’t know what to do when they stumbled upon the information, and then they felt trapped when they didn’t immediately disclose their findings.

“These kids have uncovered a problem, a big problem … and the school district should take responsibility for it,” said Janet.

“I have remorse and I have regrets,” Jeremy said of the incident.

District officials issued a statement and declined to be further interviewed.

“When there is an ongoing police investigation, we cannot publicly share details that could have a negative impact on the investigation,” RCS Director of Strategic Relations Lori Grein said in an email. “Federal and state laws also prohibit the district from publicly identifying the students or providing additional details concerning their actions. Such a disclosure may also unfairly prejudice the pending criminal proceedings. For these reasons, the district will not be making any future statements concerning this matter.”

Capt. Michael Johnson, commander of the Oakland County Sheriff’s Office’s Rochester Hills substation, confirmed that there is an open criminal investigation into the juvenile case.

Those with questions or concerns are asked to call the district at (248) 726-3100 or use the “Talk to Us” feature at www.rochester.k12.mi.us.