Two Berkeley High School students exploited a critical cybersecurity flaw in the district’s electronic voting system by accessing classmates’ email accounts using a widely known default password. The students cast 550 fraudulent votes in their favor during an ASB (Associated Student Body) election, rigging the results before being disqualified. The incident exposed systemic vulnerabilities, including weak password policies and unsecured student data access, which could have enabled broader unauthorized access to sensitive information. While no financial or highly sensitive personal data (e.g., SSNs, medical records) was compromised, the breach eroded trust in the district’s digital infrastructure and raised concerns about potential escalation such as unauthorized access to academic records, disciplinary files, or communication systems. The district responded by mandating password resets for all students, but the incident highlighted negligence in cybersecurity protocols, risking reputational damage and future exploitation. The lack of multi-factor authentication (MFA) and default credential misuse further amplified the risk, though the immediate impact remained confined to election interference.
TPRM report: https://www.rankiteo.com/company/berkeley-unified-school-district
"id": "ber3502135102825",
"linkid": "berkeley-unified-school-district",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation:"{'affected_entities': [{'customers_affected': ['Berkeley High School students',
'ASB election participants'],
'industry': 'Education',
'location': 'Berkeley, California, USA',
'name': 'Berkeley Unified School District',
'type': ['educational institution',
'K-12 school district']}],
'attack_vector': ['default password exploitation',
'insider threat (student-led)',
'account takeover'],
'data_breach': {'personally_identifiable_information': ['student names',
'school email '
'addresses'],
'sensitivity_of_data': 'moderate (educational records, but no '
'financial/PII beyond school context)',
'type_of_data_compromised': ['student email credentials',
'voting data']},
'date_detected': '2023-10-00',
'date_publicly_disclosed': '2023-10-00',
'description': 'Two Berkeley High School students attempted to rig their '
"school's ASB (Associated Student Body) election by logging "
"into classmates' email accounts using a widely known default "
'password. The incident exposed significant cybersecurity '
'vulnerabilities within the Berkeley Unified School District, '
'particularly the use of default passwords and lack of access '
'controls. The students cast 550 illegal votes in their favor '
'before being disqualified. The breach was detected when '
'school officials noticed an unusual surge in votes for the '
'two candidates during the electronic ranked-choice voting '
'process.',
'impact': {'brand_reputation_impact': ['negative publicity for Berkeley '
'Unified School District',
"eroded trust in school's "
'cybersecurity practices',
'concerns over student data '
'protection'],
'data_compromised': ['student email account credentials',
'voting records'],
'identity_theft_risk': ['potential (due to exposed credentials)',
'low severity (limited to school '
'accounts)'],
'operational_impact': ['election results invalidated',
'disqualification of candidates',
'password reset campaign initiated'],
'systems_affected': ['school election voting system',
'student email accounts']},
'initial_access_broker': {'entry_point': ['default student email passwords',
'shared credential list'],
'high_value_targets': ['ASB election voting system',
'student email accounts']},
'investigation_status': 'ongoing (disciplinary actions for students pending)',
'lessons_learned': ['Default passwords pose significant risks even in '
'non-critical systems (e.g., school elections).',
'Student-led cyber incidents can expose systemic '
'vulnerabilities with broader implications.',
'Electronic voting systems in educational settings '
'require robust access controls and audit trails.',
'Password hygiene education is critical for all users, '
'including minors.',
'Incidents with low direct harm (e.g., election rigging) '
'can still damage institutional reputation.'],
'motivation': ['personal gain (election victory)', 'competitive advantage'],
'post_incident_analysis': {'corrective_actions': ['Password policy overhaul '
'(enforced complexity, no '
'defaults).',
'MFA implementation for '
'sensitive systems (e.g., '
'voting platforms).',
'Student cybersecurity '
'training program.',
'Voting system audit and '
'security upgrades.',
'Incident response plan '
'updates to include '
'student-led threats.'],
'root_causes': ['Use of default passwords known to '
'all students.',
'Lack of access controls for '
'student email accounts.',
'Absence of monitoring for '
'anomalous voting behavior.',
'Insufficient cybersecurity '
'awareness among students.',
'Over-reliance on honor system for '
'electronic voting.']},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'student/faculty accounts.',
'Enforce strong password policies and eliminate default '
'credentials.',
'Conduct regular cybersecurity awareness training for '
'students and staff.',
'Audit and secure electronic voting systems with '
'role-based access controls.',
'Monitor for unusual login activity or voting patterns in '
'real-time.',
'Establish clear incident response protocols for '
'student-led cyber incidents.',
'Engage third-party security assessments for educational '
'technology systems.'],
'references': [{'date_accessed': '2023-10-00',
'source': 'ABC7 News (KGO-TV)',
'url': 'https://abc7news.com/berkeley-high-school-election-rigging-students-voter-fraud/13900000/'}],
'regulatory_compliance': {'regulations_violated': ['potential violation of '
'Family Educational Rights '
'and Privacy Act (FERPA)',
'California Education Code '
'(student data '
'protection)']},
'response': {'communication_strategy': ['public disclosure via media (ABC7 '
'News)',
'internal notifications to '
'students/faculty'],
'containment_measures': ['disqualification of fraudulent '
'candidates',
'invalidation of illegal votes'],
'incident_response_plan_activated': True,
'recovery_measures': ['re-run of election (implied)',
'communication to student body'],
'remediation_measures': ['mandatory password resets for all '
'students',
'review of password policies']},
'stakeholder_advisories': ['Students advised to change passwords immediately',
'Faculty notified of incident and remediation '
'steps'],
'threat_actor': ['two Berkeley High School students (minors)',
'insider actors'],
'title': 'Berkeley High School Election Rigging Exposes District '
'Cybersecurity Flaws',
'type': ['election fraud', 'unauthorized access', 'credential abuse'],
'vulnerability_exploited': ['weak password policies',
'lack of multi-factor authentication (MFA)',
'shared/default credentials',
'unrestricted access to student email accounts']}