Cybercriminals strike schools amid pandemic

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jenni Bergal
 

Connecting state and local government leaders

By Jenni Bergal

|

School IT staffs have been consumed with transitioning teachers, staff and families to virtual learning, making districts even more vulnerable to hackers, experts say.

Just days before the Aug. 3 scheduled start of school, officials at the Athens Independent School District in East Texas received a shock.

Cybercriminals had attacked the district’s entire computer network, encrypting all the data and demanding $50,000 in ransom for its release. Access to everything from teacher communications to student assignments was blocked.

“It was terribly disruptive, to put it mildly,” said Toni Clay, the district’s spokesperson. “We no longer had access to any student information, such as schedules, email addresses, anything that would be stored. Internally, we had no staff information. It was all frozen.”

The plan had been to begin school online for three weeks and then transition to a hybrid model of both virtual and in-person classes. Instead, officials ended up delaying the start of school completely for a week.

Athens is one of at least 16 school districts, from California to New Jersey, that have been victimized in a rash of ransomware attacks since the end of July.

Some have been forced to push back school reopening dates. Others that already started school have had to cancel classes for a day or more.

The attacks have placed a heavy burden on school administrators as they grapple with whether it’s safe for students and teachers to return in person and whether schools are prepared to handle social distancing and other requirements.

School information technology staffs, meanwhile, have been consumed with the transition to virtual learning, making districts even more vulnerable to hackers, experts say.

“School district IT shops were supporting the network and the remote environment and software upgrades and training. They were overwhelmed by requests for help in ways they had never seen before,” said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides professional development and consulting services to local government IT executives.

“People’s attention spans at the security end probably got dissipated trying to put out all these fires,” he said. “There were so many calls to answer.”

At the Athens district, Clay said IT staffers were stretched thin adapting to the new teaching and learning environment.

“Our IT departments are having to do 100 things and get that done yesterday. New software, issuing new devices, installing cameras, helping out families and staff having trouble getting the technology to work for them,” she said. “That already is a tremendous amount of strain on the infrastructure of a school district. It makes us targets for people who care nothing at all about the impact this type of destruction has on our communities.”

And as schools reopen for in-person classes, laptops taken home by students, teachers and administrators are being reconnected to school networks, which could make it easier for criminals to introduce malware, said Doug Levin, a cybersecurity expert who runs EdTech Strategies, an Arlington, Virginia-based education and technology consulting firm.

Ransomware spikes

Before COVID-19, ransomware attacks on school districts already were spiking, according to Levin. Ransomware hijacks computer systems and holds them hostage until their victims pay a ransom or restore the system on their own.

In 2019, there were at least 62 such cases, compared with 11 the previous year, said Levin, who created the K-12 Cybersecurity Research Center, which tracks and posts publicly disclosed cyber incidents in public school districts.

“Cybercriminals have been getting more savvy about how to target school districts,” he said. “And they understand that school opening is a high-stress, high-leverage point for them to attack. You are trying to enroll students, sign up for your PTA, coordinate bus schedules.”

Among some of the recent attacks:

  • Haywood County Schools in North Carolina were closed for several daysin late August. Students have been getting instruction remotely since then.
  • Ponca City Public Schools in Oklahoma delayed school reopening from Aug. 19 to Aug. 24 after they were struck.
  • King George County Schools in Virginia had to cancel virtual classesand close school buildings to the public Sept. 3 until classes resumed after Labor Day.
  • Hartford Public Schools in Connecticut postponed the first day of school on Sept. 8, both virtually and in person, after the city was hit by an attack that  affected multiple school district systems, including one used to communicate transportation routes for buses.

Just last week, Newhall School District in Valencia, California, had to put its classes, which have been 100% virtual, on hold for the day after a ransomware attack.

For now, the students — all in elementary school — don’t have access to their teachers online so they’re doing classroom activities at home using paper and pencils, said Jeff Pelzel, the district superintendent.

“With COVID, we don’t have the luxury of saying, ‘We want to bring you back in and teach you live right now.’ And if you sit home with paper and pencil, you’re not moving learning forward because you’re not in touch with the teacher,” he said. “It’s another layer of frustration for teachers, administrators, parents and students.”

Data breaches

For years, cybercriminals who launched ransomware attacks typically encrypted data and demanded ransom, usually in bitcoin, a cryptocurrency, in exchange for a decryption key. They didn’t access the data or make it public.

But experts say that has been changing. A growing number of cybercriminals are getting ahold of the data and threatening to make public sensitive information if they don’t get their money.

“They’re using data as additional leverage to extort payments,” said Brett Callow, a threat analyst for global cybersecurity company Emsisoft.

Some cybercriminals have posted data from local governments online, such as details about salaries, Social Security numbers and police investigations, he said.

In Knoxville, Tennessee, for example, ransomware hackers who struck in June put personal information about city employees online, including names, addresses and performance scores.

School districts haven’t been immune. Since the beginning of September, data stolen from at least four of them apparently has been published online, according to Callow.

Among them is the Clark County School District in Las Vegas, which was targeted in late August. The district later sent out a data privacy breach note warning that some current and former employee personal information might have been accessed.

Fairfax County Public Schools in Northern Virginia, the largest district in the state, announced Sept. 11 that it had been the victim of a ransomware attack. The hacker group Maze, which has been responsible for many ransomware attacks, claimed online that it had gotten ahold of private information from the district and had published a Zip file of data allegedly taken.

Ransom demands also have skyrocketed, cybersecurity experts say. Criminals who used to demand a few thousand dollars now are asking for an average of $150,000 to $250,000, according to Callow.

Clay, of the Athens school district, said the school board initially authorized up to $50,000 in ransom, but the district only would have had to pay a deductible because it had cyber insurance. After private negotiations with the criminals, she said, the ransom was dropped to $25,000.

But the district ended up paying nothing because a few days after the attack, IT staffers, with the help of regional and federal cyber response teams, were able to recover most of the data from a backup system on their own, she added. The hackers “never heard from us again,” Clay said. No arrests have been made.

Athens was fortunate to have a robust cybersecurity system that allowed it to recover its data. But not every school system does.

Under normal circumstances, most districts probably could decide not to pay ransom, even if it would take weeks or months to restore data, said EdTech Strategies’ Levin. Instead, they could make do by creating lesson plans and teaching students in school the old-fashioned way while they brought back their data systems.

But COVID-19 has changed that for schools that haven’t reopened in-person classes, he said.

“At a time of remote learning, that possibility doesn’t exist,” he said. “It’s very difficult to see a school district in a position where the choice is either pay an extortion fee or if not, take the time to rebuild an IT system.”

Those that don’t pay might have to stop teaching students “for a long time,” he added. “And that plays right into the hands of these criminals.”

This article was first posted to Stateline, an initiative of The Pew Charitable Trusts.

NEXT STORY: Staying strong against evolving ransomware

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.