A hack of the Odyssey Charter School Website went unnoticed for possibly two-and-a-half years until the UtahCyberCheck project discovered the hack in December 2019.

Analysis of Hack

Based on available information, the hack of odysseycharter.net appears to be rather mild. The single-page evidence, as saved and made viewable on archive.org’s Wayback Machine, has just two lines with a gmail address and a hacker handle (or pseudonym). Hacks like these are likely to help hackers gain prestige among the underground community. However, the ability to manipulate files on a server can have far more serious consequences. For example, the hacker may have had the capability to change the “Donate” button on the school’s homepage to send visitors to a website to steal donations and payment information. Although the webpage claiming credit for the hack is the only publicly visible sign the hack occurred, there is a strong possibility the hacker (or other hackers) took further actions.

A screenshot of the hacker's content on OdysseyCharter.net
A screenshot of the evidence of the hack

This isn’t the only website this hacker has hit. A Google search reveals the hacker has made similar claims on several other websites. Among the search results is an exploit technique dated 2017-07-11 and an analysis of a similar hack dated 2017-07-14. Based on these dates, it’s possible Odyssey’s hack occurred two-and-a-half years ago in the summer of 2017.

Google search results indicating the hacker has hit other websites
Google results showing website the hacker appears to have hit

Communication Struggles with School

UtahCyberCheck attempted to contact the school directly multiple times over three weeks but failed to receive a response. Eventually a tip was submitted to the Utah Department of Public Safety which successfully reached the school. Within 48 hours of the tip, the “signature card” of the hacker was taken down.

A Symptom of a Larger Cybersecurity Problem

The implications of this event is quite serious. First, there is insufficient security monitoring on the website to detect this attack. Second, no procedures are in place to handle a cybersecurity incident or any reports of issues. This indicates the school does not have the capability to adequately protect student data.

However, Odyssey Charter’s issues is just an indication of a broader cybersecurity problem across Utah education. Many schools and districts lack the funding and expertise to handle cybersecurity problems and fortify their systems. The UtahCyberCheck project is finding and responsibly reporting dozens of issues across many Utah schools. The current way of protecting student information needs to be systemically addressed.

For more information about the UtahCyberCheck project, you can read its announcement blog post.