This is a developing story and will be updated. Please continue to check back as we obtain new information.
On Wednesday the 24th, thousands of students around Lower Merion School District awoke to a strange message in their school email inbox. “Thank you for reporting the absence of your … student. You may receive a phone call from the District indicating that your student is absent.” LMSD says they have determined that the district network was not hacked or compromised, but are still investigating the cause of the issue.
Normally, a note such as the one depicted above would indicate that the student or their parent had requested an absence using LMSD’s online absence request form. However, that was not the case. The requests were made by a mysterious third party.
Most students received the email between 1 AM and 5 AM the morning of the 24th. It is still unclear what the cause of the malfunction was. The email contained a short manifesto-like blurb leading some students to speculate that an angered parent submitted the requests. It read:
The Safe Arrival system is an unsecured danger to LMSD. Students are easily able to sign themselves out and it is an unacceptable danger to the safety of district schools. Administration has demonstrated an unwillingness to act as students engage in flagrant truancy. To fix these problems we ask that:
1. A CAPTCHA system be implemented on the safe arrival form
2. A database of valid parental emails be implemented with 2FA for all absences
3. The safe arrival form be blocked on LMSD networks
The email varied slightly from student to student. For some, it stated that the request was for an early dismissal instead of an absence. The date the request was for also varied but tended to be a date within the next few weeks.
Harriton TV estimates that over 4000 students around the district received the email and is working to confirm the actual number. We confirmed in the afternoon of the 24th that students from both Middle and both High Schools received emails.
Update 4/24 at 11:30 AM: LMSD released a full statement in regards to the issue. The statement can be viewed below:
Good morning, LMSD Families,
This morning, we were made aware of emails that were sent to some students regarding the LMSD Safe Arrival absence-reporting website. The District’s Information Systems Department is investigating these emails, but has determined that District computer and network systems have not been hacked or compromised.
Our other District systems (PowerSchool, etc.) are not affected in any way. If you received a call or email this morning that has you concerned about whether your child is safely in school, you may call your school office to check.
We apologize for any concern or inconvenience that these emails may have caused.
Yours truly,
Amy Buckman
Dir. School and Community Relations
Update 4/25 at 5:00 PM: LMSD released a second public statement with additional information about the emails. Viewable below.
Dear LMSD Families:
Yesterday we shared information with you regarding errant emails that were sent to some secondary students’ email accounts from the LMSD Safe Arrival website.
Our Information Systems Department followed up with our website provider and was able to identify the IP address that generated the emails. The IP address was blocked, as were all IP addresses connected to the service provider. Further legal steps are under discussion.
Again, we want to stress that these emails did not compromise our District systems, such as PowerSchool.
Here’s what we think happened. It is likely that a student (or a parent/guardian with access to a student’s email account) auto-populated the LMSD Safe Arrival form with a message and with email addresses to which they have access. The system then sent confirmation emails to those addresses.
This was possible because all students with LMSD email accounts have access to other students’ LMSD email accounts, as explained in the District policy which parents/guardians sign prior to their child’s account being activated. You can review that here: https://www.lmsd.org/departments/technology/coppa/6-new.
To prevent this from happening again, we have adjusted the LMSD Safe Arrival system, so that confirmation emails will no longer be sent. Discontinuing confirmation emails will allow us to continue to offer the convenience of online absence reporting without running the risk of errant emails.
Again, we apologize for the inconvenience yesterday’s emails may have caused. If you have further concerns, feel free to contact Mr. George Frazier, Director of Information Systems, at [email protected].
Yours truly,
Amy Buckman
Dir. School and Community Relations
This is a developing story and will be updated. Please continue to check back as we obtain new information.
Harriton TV is a student-run news organization. Posts to Harriton TV’s Website do not necessarily go through an approval process by Harriton faculty.