What at first looked like a single data breach affecting Montgomery County Public Schools (MCPS) in Maryland turned out to be a series of breaches that impacted thousands of more students than was originally reported.

On Oct. 4, 2019, MCPS disclosed that a district student had one day earlier allegedly executed a brute-force credentials-stealing attack against Wheaton High School’s Naviance platform and downloaded demographics data from 1,343 accounts registered to students. Naviance is an online college and career readiness program.

But in an updated online disclosure published late last month, MCPS announced that a forensic investigation conducted by the Montgomery County Police Department revealed additional intrusions that took place between Sept. 12 and 14. The district has now revised the total number of compromised accounts to 5,962 across six schools.

In addition to Wheaton, Montgomery Blair High School, Julius West Middle School, Argyle Middle School, Parkland Middle School and A. Mario Loiederman Middle School were also hit by the breach.

Exposed data included names, birth dates, home addresses, email addresses and phone numbers, as well as academic information such as student ID number, weighted GPA, highest SAT score and more.

“At this time, MCPD does not believe that the student shared any accessed information with others,” the district’s updated notification states. “The student currently faces additional disciplinary action based on the expanded scope of the brute-force attacks as well as possible criminal charges.”

Following the original discovery of the breach, MCPS forced a district-wide password reset for all Naviance student accounts to prevent any additional unauthorized access.