Student Charged in Cyberattacks at Miami-Dade Schools

On Monday, the first day of public school in Miami-Dade County, Fla., students logged on to their virtual classrooms and immediately encountered glitches.

The computer network for the district, the fourth largest in the United States, seemed to be overwhelmed with traffic, and students were confronted with error messages and other technical difficulties that lasted for days.

On Thursday, school administrators said that the problems had stemmed from cyberattacks — and that a 16-year-old student at South Miami Senior High School had been arrested.

“The student admitted to orchestrating eight Distributed Denial-of-Service cyberattacks, designed to overwhelm district networks,” the district said in a statement. The student was charged as a juvenile offender with computer use in an attempt to defraud, a felony, and interference with an educational institution, a misdemeanor, the authorities said.

A distributed denial-of-service attack would not necessarily compromise users’ privacy or information.

“What that means is that the suspect who was arrested, and likely colleagues of his working in coordination, had identified a server that was, or servers that were, run by the Miami-Dude schools, and then flooded that server with malicious traffic — so much traffic that it caused the system to bottleneck,” said Douglas A. Levin, a cybersecurity expert and the president of EdTech Strategies, a consulting firm.

One of the attacks was associated with an IP address that led investigators to the student’s home, according to a police report. It was unclear whether the student had a lawyer, and a phone message left for his mother on Thursday was not immediately returned.

Other people may have been involved in the attack, Edwin Lopez, the chief of the Miami-Dade Schools Police, said in the statement.

“We will not rest until every one of them is caught and brought to justice,” he added. “Cyber attacks are serious crimes, which have far-reaching negative impacts. Our message to anyone thinking of attempting a criminal act like this is to think twice. We will find you.”

The statement from the district said that the glitches had targeted district networks, including those needed to run My School Online, an online learning platform from a company called K12.

Jack Meyer, 17, a senior at Miami Palmetto Senior High School, had trouble logging onto the platform as soon as he started school on Monday. “It was really laggy,” he said. “About half the time, my classes wouldn’t load at all.”

He got repeated error messages about heavy traffic, and he tried to fix the problem by hitting the refresh button over and over again.

Mr. Meyer, who reported on the glitches for the school newspaper, said the problems had largely been resolved after teachers switched to other platforms, such as Microsoft Teams and Zoom.

The cyberattack raised questions about whether the company and the district had done enough to protect their networks, Mr. Levin said — and about whether the authorities were assigning blame to a student whose role in the attack did not appear to have required an especially high level of sophistication.

“The notion that a 16-year-old could bring down the entire I.T. system is concerning, and it should raise questions,” he said.

A spokeswoman for K12 said that while the network disruptions had affected the company’s delivery of service, K12 had not caused the attack and was not responsible for the district’s network. “Also note that the K12 network was not directly impacted, and no data was compromised,” she said.

Use of the K12 platform has been halted for Miami-Dade students in grades six through 12, but younger students are still using it. A $15 million contract with the company has come under extra scrutiny in recent days. That contract has yet to be fully executed; a spokeswoman for the district said the money had not yet changed hands.

She added that the district would decide by the end of next week whether the older students would return to the platform.

The transition to online learning has been a fraught process for many school districts across the United States. In some cases, preparation and training efforts lagged because of questions over whether students would go to class in person. There have been tense debates over how many hours of online interaction teachers would have to provide to students and whether they should use their vacant classrooms or work from home.

School districts are increasingly being targeted for hacks and cyberattacks, Mr. Levin said, raising questions about what should be done to establish better, more comprehensive safeguards. Local governments have been targeted, too. Last year, Lake City in North Florida and Riviera Beach in Palm Beach County each signed off on ransom payments of hundreds of thousands of dollars after hackers took over their networks.

source: nytimes.com