PRINCE GEORGE'S COUNTY, Md. - School threats are a nationwide phenomenon, but an investigation into a threat sent to three Prince George’s County public schools revealed a major flaw in the district’s cyber security practices.
When FOX 5 looked into the incident problems were exposed in how the school system gives out passwords for student email accounts.
Multiple sources told FOX 5’s Evan Lambert that Prince George’s County schools have made their password distribution system so easy, almost any student could figure out how to pose as a classmate.
Police arrested and charged a 14-year-old female student with making the threats, but at least one threat came from the account of another student, according to a source with knowledge of the case.
It’s unclear how the suspect gained access to that account, but FOX 5 discovered it could have been as simple as knowing her classmate’s student ID information.
Everything one would need to log in to another student’s account is on their student ID in most cases.
If it’s lost and a classmate finds it, any student who knows the format can pose as another online.
Cyber security expert Reginald Corbitt says the strategy is a major flaw.
“I think it's a terrible idea actually to have that information accessible where any student can see it at anytime can write that information down,” Corbitt said.
Corbitt says the system uses passwords that are inherently insecure.
Randomness makes them safer. Some local school districts have students create their own passwords.
But in Prince George’s County, passwords are generally assigned, and follow an easy to remember format.
A school board member told FOX 5 they expect the district to come up with a plan that will help keep students’ identities safe.
“The reality of it is in 2019 we're a very technology driven society and so our students not only should be fully secure but they should feel secure,” said Joshua Thomas of School Board District 2.
Responding to the apparent vulnerability, a district spokesman told FOX 5:
"We are reviewing this incident and our processes to ensure email security."
Another school board member, Edward Burroughs, told FOX 5 they will look at avenues for updating the process.
“Ultimately with technology you have to update the rules on a host of different levels so I foresee us being able to work through this pretty quickly,” he said.
It is still unknown how the student who launched the threats accessed at least one of the email accounts from which a threat came.