Data leaks are becoming so commonplace it seems like we’re almost becoming immune to them. Another ransomware attack on a business. Another virus crippling a network. Another identity theft scam. But then something happens that shakes us up and reminds us … this is not okay. Such as when an attack hits a little too close to home. For example, this—hackers are now specifically targeting schools.
CNN reported that a school district in Montana was forced to shut down more than thirty schools for three days after hackers infiltrated their network. The hackers sent threatening text messages to staff and students. School Superintendent Steve Bradshaw explained, “The messages weren’t pleasant messages. They were ‘splatter kids’ blood in the hallways,’ and things like that.” The messages also included disturbing references to “Sandy Hook.” But the hackers weren’t done. They also demanded up to $150,000 in bitcoin or they would release stolen school records. At least three other states were hit with similar school data extortion attempts.
Malicious hackers are going after schools because of a combination of weak data security and available information that is ripe for exploitation. As schools rush to incorporate technology in their schools, security protocols are sometimes afterthoughts. Vulnerable information can include social security numbers, birth dates, medical records and financial information.
An attack leaves one school district $10,000 poorer
Can your school afford to send ten grand to a hacker? Leominster Public School district officials recently had to ask themselves that question. A hacker attack left this Worcester County, Massachusetts school district unable to access email, health services, food services, library services, help desk and file services, backup services and more. The attackers demanded $10,000 to decrypt the files. Despite FBI warnings to never pay ransomware, the district felt they had little choice but to pay up. “If we had not used the option of paying the ransom for the decryption of our files, we would most assuredly be in for a much longer recovery at a much higher cost,” said Leominster Superintendent of Schools Paula Deacon. “In the case of one of the file servers, there were over 237,000 files which were encrypted, covering all departments in Central Office.”
According to an article in the Leominster Champion newspaper, the school is now making changes to their network to remove vulnerabilities including replacing old computers. The cost of this overhaul? More than $435,000.
It’s a bigger problem than you think
How many school cyber incidents do you think have occurred in the last two years? Ten? Twenty? Try more than 330 (and growing)! In an attempt to categorize, defend and combat these threats, EdTech Securities has published a map that includes all manner of school-related cyberattacks including data breaches, phishing attacks and “other occurrences that lead to school and personal information being exposed.”
The amount of exposure and consequences of those incidents vary widely. The Wall Street Journal recently reported on a number of cyber incidents including:
- Hackers in Iowa’s Johnston Community School District released school and parent information along with threats to kill the children. A hacker claimed the information was released to help child predators.
- Hackers stole $56,000 worth of paychecks being sent via direct deposit to Atlanta Public School employees
- Hackers stole $75,000 from employees of the Fulton County School district in Georgia
One state gets ahead
Many school districts are realizing the threats of a cyberattack are all too real, and are proactively working to protect themselves. Schools in Indiana are leading the way. As reported by Indiana Public Media, the Indiana Department of Education has targeted thousands of dollars in cyber funding for certain schools. Schools can apply for matching grants of up to $25,000 to build up their cybersecurity systems and improve 24-hour system monitoring. Says Chief Technology Officer John Keller, “Cybersecurity is a layered concern that goes across really all sectors. I mean, it’s not just a teacher thing or a school administrator thing, it’s our students, our staff.”
What you can do
Waiting until a cyberattack hits can be costly to schools and devastating to the families or staff whose information is breached. Fortunately, there are many resources available. For example, the U.S. Department of Education provides a number of cyber-resources and documents related to Security Best Practices, from a Data Breach Response Training Kit to a Data Security Checklist. But it can be daunting to read and figure out exactly what you need to do, especially without a partner to help guide you.
At Single Path, we work with schools across the country to help them uncover and tighten up weaknesses, implement security measures, and create recovery plans if the worst happens. We can help overhaul your entire system, as we did for Great Lakes Academy in Chicago, provide training like we did for Saint Anne Parish School in Barrington, Illinois, and offer any or all of a full range of security offerings.