Shadowy criminal gangs with sinister names like The Dark Overlord are terrorizing schools. They hack into district networks and then demand hundreds of thousands of dollars in ransom payments, making threats of terrible consequences if schools do not agree to hand over the money.
It’s a growing problem that’s now tougher to tackle as districts lean further into the use of technology for teaching and learning and the management of schools and cyber criminals get craftier and more sophisticated. And, more and more, it is becoming a problem faced by districts of all sizes, all across the country.
“It is a bit of a cat-and-mouse game, meaning that as people learn how to protect themselves from attacks, the [bad] actors change their tactics and get more sophisticated,” said Doug Levin, the national director of the K12 Security Information Exchange (K12 SIX) and one of the top experts in the country about cybersecurity for K-12 schools.
The increasing number of attacks and their growing complexity have big implications for teaching and learning, school budgets, parent communication, and the protection of sensitive data about students and employees.
But taking on the problem is expensive, tedious, and often thankless. Administrators’ and teachers’ eyes’ tend to glaze over when district IT workers start telling them about effective cybersecurity practices and how they should put them in place.
“It’s almost like a foreign language,” said Ryan Cloutier, the president of SecurityStudio, which works with districts on cybersecurity. “Even the biggest companies in the world struggle with this. There’s not enough time, dollars, or hours to address everything.”
It is a bit of a cat-and-mouse game, meaning that as people learn how to protect themselves from attacks, the [bad] actors change their tactics and get more sophisticated.
Why do hackers go after schools?
K-12 schools make tempting targets, in large part, because they have loads of data. And in most cases these days, nearly every computer system that stores data—from gradebooks to door locks to salary information—relies on some sort of online network that is capable of being hacked.
To complicate matters, districts became much more reliant on technology during the pandemic, when they handed out millions of digital devices for remote learning, set up WiFi hotspots around their communities for students to access, and dramatically increased their use of online programs and apps for instruction.
Those changes have opened the doors much wider for hackers to infiltrate districts’ computer networks. And all it takes is for one teacher, student, or parent to click on a phishing email created by a cyber criminal and a ransomware attack could be underway.
Increasingly, education and technology companies that work with K-12 schools are also being targeted. In January of 2022, roughly 5,000 schools and colleges saw their websites go dark when a ransomware attack targeted Finalsite, a private company that provides webhosting and other communications services.
Who are the cyber criminals targeting schools?
Hackers can be disgruntled—or just bored— students. Some have high-level computer skills, others may have stumbled on a teacher’s password.
They can also be low-level cyber criminals who send millions of spam emails to every single address they can find that include malicious attachments aimed at spreading viruses to help them harvest people’s credentials or steal money. Or they may pose as a popular company, say, Netflix, asking for a payment or credit card information. These hackers may not realize— or care—that they are reaching out to school districts. They are just trying to get someone, anyone, to fall for their scam.
Probably most menacing of all: organized cybercriminals who often work overseas, in countries that are tough for U.S. law enforcement to reach. (Think Russia and China, among many others.) These hackers often know they are targeting schools and may do research into what education or technology companies work with a specific district and which staff members are responsible for handling financial transactions for the district.
Their crimes can take all sorts of forms. They may attack a district’s system with malware and hold it for ransom. Or, using a real invoice from an actual education or technology company, they may change a bank routing number so that a district’s payment winds up in the cyber criminal’s bank account, and not the company’s.
“A 5-year-old today, if their information is stolen, maybe 20 years from now, they'll find out that they own a property in Las Vegas."
What are the common types of cyberattacks?
Data breach—This is what many people think of as the classic “hack.” Someone who is not authorized to see or change certain types of data breaks into a district or school’s system and copies, steals, transmits, changes, or just views the data. These attacks make up a little more than a third—36 percent—of all reported cyberattacks on schools, according to the K12-SIX.
The hackers can be sophisticated international criminals planning to steal staff and student data, or simply a high school student who retrieved a teacher’s password and logged in to the district or school network to change some grades.
And there are some bizarre twists to hacker personas. For instance, a mother in Florida, who also happened to be an assistant principal in the district, used her official district credentials to change the results of a student vote to get her daughter elected homecoming queen.
Of course, the motivation behind hacks can be a lot more serious. Criminals may sell student and staff data to be used in identity theft.
Student data are especially valuable to identity thieves, said Rod Russeau, the director of technology and information services for Community High School District 99, near Chicago. That’s because credit checks are rarely conducted on children, so the fraud may not be discovered for years.
“A 5-year-old today, if their information is stolen, maybe 20 years from now, they’ll find out that they own a property in Las Vegas,” Russeau said.
For instance, just last year, parents in Toledo, Ohio, found that cyber criminals had applied for car and credit card loans in the names of their children, who are in elementary school.
Ransomware—These are the attacks that typically get the big headlines. Cyber criminals break into a district or school’s network and take data and encrypt it, essentially preventing the district from accessing the data. They agree to decrypt and return the data if the district—or its insurance company— pays a ransom, often in the hundreds of thousands of dollars. If school districts do not have a system that backs up their data and they choose not to pay the ransom, that data can be lost forever. Some of these attacks are becoming sophisticated enough to go after a district’s back-up data too, so that districts don’t have the option of using them to restore their systems. And sometimes a particularly sophisticated attack can happen multiple times.
Attackers may also threaten to release student and employee data to the public if they aren’t paid—and some have made good on those threats. In 2021, hackers demanded $40 million from Florida’s Broward County School District, later lowering their price to $10 million. After the district offered to pay a smaller sum, the hackers published nearly 26,000 stolen files, according to the South Florida Sun Sentinel. And back in 2017, hackers sent personalized texts to parents in Iowa and other states threatening their children, the Des Moines Register reported.
Denial of service—Cyber attackers inundate a district’s network by flooding it with unnecessary and meaningless requests until it either can’t respond to other users, or just completely crashes. That might block staffers, parents, students, and others from using district email, websites, and online accounts (including banking).
These days, you can even hire someone to carry out a denial-of -service attack for you, Cloutier said. A disgruntled student, parent, or employee could “execute a cyberattack for as little as five to ten dollars without any understanding of what was actually happening behind the scenes,” he said.
Denial-of-service attacks made up 5 percent of reported incidents in K-12 education in 2020, according to K12 SIX. Often, the perpetrators are locals such as a student possibly looking for a day off from school, said Amy McLaughlin, the cybersecurity director for the Consortium for School Networking, a group that represents chief technology officers in school districts.
Other types of attacks—Schools also grapple with “class invasions,” (also known as “Zoombombing”) where an unauthorized person jumps into an online class, sometimes spouting hate speech, showing pornographic images, or shouting threats. Often, the attackers are just looking to disrupt class, get a laugh, or make students and teachers uncomfortable.
A close cousin to that approach: “Meeting invasions,” which target virtual school board or PTA meetings, and other online events, often not for any specific reason other than to irritate district officials.
Hackers may also send bulk emails to parents, students, and district employees filled with inappropriate content, frequently as a prank.
Similarly, district websites can be taken over by offshore political groups using them to espouse propaganda, or maybe by students making fun of the district, Levin said.
And a more recent development: “hacktivism,” in which a district may get hacked in protest of its stance on, say, COVID mask-wearing or curriculum changes.
What’s the impact of these attacks?
A lot of wasted time and money.
It’s not unusual for schools to close during a cyberattack, while the district works to get itself back up and running. In January of 2022, the Albuquerque, N.M., public schools, the largest district in the state, shut down for two days because of a cyberattack. That kind of closure is particularly tough to swallow when students are struggling to regain their academic footing due to the pandemic.
In the business world, cyberattacks mean lost profits, but “in the school world we lose the ability to deliver learning,” Cloutier said.
That’s not to say there isn’t a financial hit as well. The “loss of a day of school is worth thousands to millions of dollars, depending on the size of your district,” McLaughlin said.
What’s more, districts are finding that cybersecurity insurance costs are on the rise, she added. Insurance companies increasingly expect districts to have their own security systems in place before they will take them on as clients. For organizations that don’t have certain protections in place, premiums rose by as much as 300 percent over the past year, according to one industry report from Gallagher Consulting.
McLaughlin credited those price hikes to a “maturing market” for cybersecurity insurance. In the past, districts assumed they didn’t need to worry much about risks, since they had insurance. Now, cybersecurity insurance is becoming more like, say, homeowners’ insurance, where policyholders will get a better deal if they have protections in place such as sprinklers and alarm systems.
You can invest billions of dollars in all of the highest-level, most sophisticated firewalls and detection mechanisms. And invariably, a phishing email is going to get through.
Cybersecurity measures: How can districts and schools protect themselves?
There’s no way to eliminate risk, only to mitigate it. But districts should still take steps to protect themselves, experts say.
“You could do everything perfectly and you may still have a problem,” McLaughlin said. By having safeguards in place, “you’re gonna be less of a juicy target than somebody else.”
There’s a lot that districts can do that’s low-cost or free, Cloutier pointed out.
One good place to start: A risk assessment, to give districts an “understanding of what they have, where is it? How valuable is it to the district, and then, in turn, to a criminal?” Cloutier said.
Districts also need to have a technology and communications strategy in place for how they would respond to a cyberattack, and practice that plan, just as they would a fire or active-shooter drill.
The plan doesn’t have to be a “Nobel Prize-winning document,” Russeau said. A one- or two-page description of how the district will handle various types of cyberattacks would work.
And even though hackers have started infiltrating and monkeying with district back-up data, it’s still a good idea to back everything up, Levin said.
Districts should also implement multi-factor authentication so that staffers and students need more than just one username and password to access their systems. Some multi-factor authentication systems may text a code to the user’s cellphone, for instance, to confirm the person’s identity.
And school districts should teach employees not to use the same passwords on multiple sites, share them, or make them easily guessable. Employees also should learn to spot a phishing email, in which criminals posing as someone in the district, or a vendor, may ask for their login credentials. And they should immediately report any suspicious emails to their IT departments.
“You can invest billions of dollars in all of the highest-level, most sophisticated firewalls and detection mechanisms. And invariably, a phishing email is going to get through,” Russeau said. “And if a staff member doesn’t recognize it, and opens the attachment or clicks on the link, all of a sudden you’ve got someone in the payroll department sending copies of everyone’s W-2 to someone they think is the superintendent but isn’t.”
The top leaders in school districts also need to go beyond endorsing cybersecurity efforts, and get personally involved, Russeau emphasized.
Often, district leaders think, “well, that’s a technology thing, the technology department will worry about security,” he said, adding, “but so many of the security decisions that we make as an IT department are really in direct response to what leadership tells us about how much risk they are willing to stand.”
What are federal and state policymakers doing about K-12 cyberattacks?
They are starting to take notice. State lawmakers introduced at least 170 cybersecurity bills last year that focused directly or indirectly on K-12. That’s a little less than double the number of such bills introduced in 2020, according to a recent report from CoSN.
Fifty-one of those bills became law. They included measures such as new requirements on reporting incidents of cyberattacks, mandates for state cybersecurity planning, and new funds for bolstering cybersecurity.
In Congress, lawmakers introduced at least 19 cybersecurity bills in 2021 that were directly or indirectly relevant for K-12 schools, CoSN reported. That’s also about double the number for 2020.
And in October of 2021, President Joe Biden signed the K-12 Cybersecurity Act, which calls for the federal cybersecurity agency to make recommendations about how to help school systems better protect themselves.
