A virtual classroom, filled with dozens of Phoenix-area middle school students, was exposed to a sexually explicit video on their first day back at school.
Parents of teens and pre-teens at Legacy Traditional School in Surprise say there were roughly 60 kids in the cyber-class when a pornographic video filled the screen.
Tahnee Conner's 12-year-old called out for his mom Wednesday, just an hour into his school day.
"He said, 'Mommy, something weird is going on.' So I walked over to the computer and all the little faces were popped up there and they all had this puzzled, well horrified, look on their face," recalled Conner, who said shortly after, she saw the R-rated video fill the screen.
"And the teacher, bless her heart, was trying the best she could. Like every time it popped up. She kept taking it off. But she couldn’t block the guy," said Conner.
Eventually the session was shut down. A school spokesperson telling ABC15 that a student created a fake email address and duped the teacher into letting him in.
But the Google Meets room was not password protected, did not have any sharing or content restrictions, and the access was not linked to specific emails.
The spokesperson went on to say, "Legacy Traditional Schools takes this situation seriously, and we have reinforced that students who fall short of our expectations for mature, respectful behavior will face disciplinary consequences. Our live, online teaching sessions will resume Thursday with enhanced cybersecurity measures in place."
Earlier in the day, Legacy's principal wrote to parents, "We have no reason to believe this was a Legacy student or that students were harmed in any way."
"Just because they weren’t physically harmed doesn’t mean they weren’t harmed. That isn’t an image my son has ever seen before," said Conner.
Some cyber security experts also wonder if it could have been easily prevented.
"Something as simple as putting a password protection on that meeting could help prevent that," said Tom Tardy, a retired Phoenix police officer who now runs GingerSec.
Cyber-security concerns are nothing new in 2020. "Zoom Bombing" became a common phrase earlier this year, when COVID-19 forced nearly all interactions online.
But security options have ramped up since the beginning of the pandemic, leading Legacy parents to question how this was able to happen so easily.
"I don’t want to fault the school but it is kind of their fault for not thinking ahead. They’ve had all summer to do it," said Conner.
Conner also told us the explicit video was not the only inappropriate incident either.
Parents say there was cussing, lewd comments, and dirty links shared in the chatrooms as well.
We found that many districts in the Valley have been preparing to handle the potential external and internal threats surrounding online learning.
Kyrene School District in Tempe told ABC15 that "to enter the classroom, the student must first be logged into our secure system. They also have "additional safeguards [like] teacher control of audio, video and attendance - if a teacher leaves the room, it automatically shuts down - and links to class sessions are not shareable. If someone outside the system tries to use one of our links, it will not function."
Meanwhile the Madison School District requires students have a username and password, and their "District-issued Chromebooks include content filters so that students can only access educational materials and programs."
Mesa Public Schools also has a password requirement for meetings and even has monitoring options for parents to see what websites their children are accessing, or trying to access and how much time they are spending online.
Legacy Traditional did not provide specifics about how they were improving security measures to prevent a repeat of Wednesday, but said "Our live, online teaching sessions will resume Thursday with enhanced cybersecurity measures in place."
When using platforms like Zoom, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. Investigators say to follow these steps to mitigate teleconference hijacking threats:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen-sharing options. In Zoom, change screen-sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software. In the security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
If you were a victim of a teleconference hijacking, or any cyber-crime for that matter, report it to the FBI’s Internet Crime Complaint Center at ic3.gov .