Bloomfield Hills High School

Two students from Bloomfield Hills High School are the main suspects of a recent hack discovered at the school this week.

The two broke into the school's MISTAR Student Information System portal where they changed grades, attendance records, and attempted to refund lunch purchases.

The hack came to light after a school employee logged into his account a noticed an error. School officials investigated the issue and discovered the hack.

The two students are said to have used a vulnerability in the school portal to carry out their hack. They tried to disguise their identity by modifying the records for 20 students.

Dire repercussions announced in a YouTube video

But according to a YouTube video posted by Bloomfield Hills High School superintendent Robert Glass, school employees with the help of forensic data experts managed to track down the two culprits.

"As a father myself, my heart aches for the parents of the students who will be learning a very hard lesson," Glass said in the YouTube video.

"The consequences for these young individuals is likely to be severe. Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," Glass said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The YouTube video was shared on the high school's website, as a warning for other students. The website now also shows a popup with a written message from the school's management.

According to the message, school officials are preparing password resets for parental accounts.

Popup message on high school website

Vulnerability in school system fixed

Bloomfield Hills High School officials said they've also patched the vulnerability students used to get into their MISTAR system.

Officials are also looking into the changes made to attendance records and lunch balances, but their top priority is on the changes made to grades, especially with the semester coming to an end in a few weeks.

Overall, we're seriously impressed with the way the high school's staff handed the hack. They've hired a forensic investigator, set up a dedicated FAQ page, prepared password resets, and got the superintendent to apologize in a YouTube video, à la Equifax. Much better and clearer at communicating the incident's details than many Fortune 500 companies.

Related Articles:

Sensitive data of 400,000 German students exposed by API flaw

GoDaddy data breach hits 1.2 million Managed WordPress customers

FBI system hacked to email 'urgent' warning about fake cyberattacks

US Education Dept urged to boost K-12 schools' ransomware defenses

Iranian gas stations out of service after distribution network hacked