A US mother is facing six felony counts for allegedly hacking into her children’s school computer, changing their grades, and accessing the school’s human resources system to open thousands of personnel files that contained contracts, employee reports and other information.
The mother, Catherine Venusto, 45, from New Tripoli, Pennsylvania, worked as a secretary for the Northwestern Lehigh School District from 2008 through April 2011 and has at least two children in the district, according to the District Attorney’s office.
Venusto is accused of changing her daughter’s grade from an F to an M for “medical,” of allegedly boosting her son’s grade of 98 percent to 99 percent, and of using the superintendent’s information to log onto the district email system and to access Northwestern Lehigh’s human resources system.
According to Lehigh Valley Live.com, Venusto allegedly used the superintendent’s password 110 times over the course of a year and a half to conduct the mischief.
Authorities told news outlets that Venusto also used the information of nine other Northwestern Lehigh employees, most of whom were in the guidance department, to access computer systems.
According to Lehigh Valley Live, officials first suspected a problem in January after the high school principal told superintendent Dr. Mary Anne Wright that teachers didn’t understand why she was checking their computer-based gradebooks.
Wright told the principal that she hadn’t looked at the books. That’s when the jig was up.
The district immediately shut down the student information system, quickly initiated steps to bolster security, and turned the matter over to state police, Wright told Lehigh Valley Live:
"Within three hours of suspecting unauthorized access, email, student information system and the district shared drive were shut down until we were able to fully identify the issue. New security measures were put in place before the systems were accessed again by staff, students or parents."
Venusto is facing three counts each of unlawful use of a computer and computer trespass, which are third-degree felonies.
She was arraigned on Wednesday and released on $30,000 unsecured bail, which she’ll only have to pay if she fails to appear in court for her preliminary hearing on July 26.
If she’s convicted, Venusto could face a maximum of 42 years in prison or a $90,000 fine, District Attorney’s office spokeswoman Debbie Garlicki told ABC News Radio.
Garlicki said that the maximum penalty on each count is seven years or a $15,000 fine.
The school district may well have acted promptly to clamp down systems and improve security after they discovered the trespassing and tinkering, but the plain fact is that leading up to this incident, employees seemed to play fast and loose with security.
Perhaps it’s necessary for a superintendent’s secretary to know her boss’s login information. Even if it is, it’s hard to imagine why Wright failed to change her password after Venusto left her job.
This is a good reminder that a password that walks out the door inside the brain of an ex-employee (as well as a current employee, insider-threat-wise) could well come back to haunt us.