Mom & Daughter Duo Hack Homecoming Crown

A Florida high-school student faces jail time for rigging her school’s Homecoming Queen election.

A 17-year-old high school senior along with her mother, Laura Rose Carroll, were arrested this week, charged with accessing student records in a fraudulent attempt to rig her school’s Homecoming Queen election.

Carroll worked as an assistant principal at Bellview Elementary School in the Escambia County School District in Cantonment, Fla. — the same district where her daughter attended  Tate High School, the Washington Post reported. Authorities were tipped off to the fake votes after the daughter bragged to other students about using her mom’s access to “FOCUS,” the district student-information system, to cast votes in the election for the school’s Homecoming Court from student accounts, without their knowledge.

Tate High School’s student body of about 2,000 had two days between Oct. 28 and 30 to cast their votes for Homecoming Court through “Election Runner,” a system frequently used by the school for election-type activities. It requires students to provide their school-ID numbers and birth dates before they can vote.

On Oct. 31, Carroll’s daughter was crowned Homecoming Queen, but the victory was short-lived. The Washington Post said that before the vote window was closed, Election Runner sent an alert to the school warning that many of the votes were suspected to be fraudulent.

‘FOCUS’ Student-Data System Breached

Carroll’s daughter didn’t seem too worried about hiding the fraud, since she bragged to fellow students about the stolen votes. Arrest records document about 117 votes from the same IP address, which investigators were able to trace back to Carroll’s home and cellphone, the Post reported.

“She looks up all of our group of friends’ grades and makes comments about how she can find our test scores all the time,” one student said, in a written statement.

“I recall times that she logged onto her mom’s FOCUS account and openly shared information, grades, schedules, etc., with others,” another student’s statement read. “She did not seem like logging in was a big deal, and was very comfortable with doing so.”

Another witness told authorities that Carroll would have received a notification each time her daughter logged onto the FOCUS system, according to the Post. The witness added that Carroll was required to change her password for the FOCUS system every 45 days, meaning she would have had to have shared each of the new passwords with her daughter for her to maintain access.

Carroll met with the Escambia County School board on Nov. 4 about the alleged abuse of the school’s student data. On Nov. 5, the district contacted the Florida Department of Law Enforcement [FDLE] to report she and her daughter “were involved in potential unauthorized access to student FOCUS accounts,” the Post added.

“The investigation also found that beginning August 2019, Carroll’s FOCUS account accessed 372 high school records, and 339 of those were of Tate High School students,” FDLE said in a news release. “The investigation also revealed that beginning August 2019, Carroll’s Focus account accessed 372 high school records, and 339 of those were of Tate High School students.”

Both Carroll and her daughter were arrested on one count each of offenses against users of computers, computer systems, computer networks and electronic devices (a third-degree felony); unlawful use of a two-way communications device (also a third-degree felony); criminal use of personally identifiable information (yet another third-degree felony); and conspiracy to commit these offenses (a first-degree misdemeanor), according to the FDLE.

School-District Insider Threats

With schools under constant threat of cyberattack, targeted by malware, phishing, distributed denial of service (DDoS), Zoom-bombings and more, abuse from trusted users and insider threats is also something that needs to be checked. A joint alert issued from CISA and the FBI last December called schools a “data-rich environment of student information.”

And in case there was any question about how seriously law enforcement tends to take this type of breach of student data, just look at the consequences Carroll and her daughter are facing.

Carroll was arrested and booked into the county jail and released after posting $6,000 bond, according to the Post, while her daughter was taken to the juvenile detention center. Carroll was also suspended from her job, the Post said.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

 

Suggested articles

Discussion

  • Florida Parent on

    I have been complaining about this system for years. Unless they changed it recently, it uses assigned, unchangable passwords based on public information. If you get invited to a birthday party then you can log into FOCUS as that student. I have basically told my school district that I will hold them responsible for any identity fraud committed against my children because of it. It should be the schools' IT departments that should be going to jail. Their response when I questioned these issues was that SCHOOLS were not legally liable and that was the VENDORS problem. Our children are at risk and instead of arresting parents and students just guess EASILY GUESSABLE password, they should use a product that is actually secure and AT LEAST allows users to select their own passwords.
  • Aspiring CSec Pro on

    I agree with the Florida Parent who posted here! This is a problem that shouldn't be brushed off with something as crappy as "It's the VENDORS problem". Let's be real, the VENDOR will do NOTHING about this until people make a big deal out of it in social media/public news AND ACTUALLY FOLLOW-UP about it!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.