The problem of school cyberattacks are on the rise: Why schools are easy target for hackers? An executive director at K12 Security Information eXchange
Doug Levin, the director of the K12 Security Information eXchange, a national nonprofit helping protect K-12 school districts from cyberattacks, says these federal efforts are a good start, but they’re not enough, especially given the increasing scale and severity of the attacks.
Anne Neuberger, a deputy assistant to the president and a deputy national security advisor for cyber and emerging technology, says that they are making the resources available, educating, and bringing school janitors together to learn about the threat.
She says the White House doesn’t have the authority to require minimum school cybersecurity protocols, like they can with rail, airports and pipelines.
We need to move fast and have more conviction here. We think that we’re going to need a much more robust effort from the federal government to make progress on this issue,” he says. “Tomorrow is too late.”
In Albuquerque, Elder’s district has beefed up security protocols. The IT department sends out fake emails to see if staff click on them as part of ongoing training.
Source: One reason school cyberattacks are on the rise? Schools are easy targets for hackers
One reason school cyberattacks are on the rise? School cyber attackers are easy targets for hackers: Revisiting a good email sent to the White House
He says he has become paranoid in the last few years. The White House invited him to a summit on Cybersecurity, but he didn’t believe that the email was legit.
I got the email and immediately thought, “Oh, good one!” This is a good one and I’m heading to the White House. He recalls thinking that was ridiculous. He reported the email to his IT department as a phishing attempt.
Elder is trying to get everyone in the district to know the importance of cyber safety. He says that even though you have been hit once, it’s not a sign that it can’t happen again.
Everyone in Atlanta was required to change their passwords. The district also made cyber security training mandatory for all staff, so everyone had to learn to recognize possible phishing emails and other safe practices.
Is this part of your culture? The tech person has to be more than that. Every teacher, every school secretary, and every student need to log into any district device.
“Those three things. If every district in the country did those things that don’t cost money … we [would] have a way to defend and protect our schools,” Marten says.
Source: One reason school cyberattacks are on the rise? Schools are easy targets for hackers
What can schools do to make sure they are cyber-aware? Using Multifactor Authentication in the U.S. Department of Education
The first step is to have complex passwords. Multifactor Authentication requires users to enter more than just a password to access their account, which can include using a phone, a photo, or a thumbtack. Software is kept up to date.
Cindy Marten, deputy secretary of the U.S. education department, says school districts can do a lot to build a cyber aware culture.
There’s no way to know just how many K-12 school systems have been targeted by hackers. According to the GAO report, that’s because school districts may be reluctant to report a cyberattack. In addition, experts say, the federal government doesn’t require that schools report cyberattacks.
“They believe it shows that you failed.” I don’t think that we failed. I think this is now a fact of life, and you better be prepared to address it.”
School District Scott Elder, an Alarmist for School Cyber Security Hackers, and the Albuquerque School District, Incidentally Left Behind by Foreign Nationals
Johnny isn’t trying to change his grades in his room. And we’re a school district. We weren’t equipped to go to cyber war with foreign nationals that are well funded.
Elder says the FBI told him that the attack was carried out by hackers overseas. He says he was surprised that the operation was so advanced.
The Albuquerque district was in the middle of receiving quotes for cyber insurance when the attack happened. They increased their costs by 330% after the attack.
Scott Elder has a morning routine. He wakes up at 7 a.m., drinks coffee and feeds the dogs, Bella (a rat terrier) and Spencer (a Chihuahua). Elder’s routine was interrupted by a phone call.
Elder was advised by the FBI not to share specific information with families because hackers monitor communications. And district leaders couldn’t use email because they didn’t want to risk spreading the virus. So Elder set up robocalls and did media interviews to get the message out.
The student records system had a bug. So Elder’s IT staff shut that network down. But that meant teachers wouldn’t have access to basic information about the almost 70,000 students enrolled in New Mexico’s largest school district. A teacher couldn’t take attendance, wouldn’t know the bus routes of children, and was locked out of the grading system.
Source: One reason school cyberattacks are on the rise? Schools are easy targets for hackers
A Real Problem for Albuquerque Public Schools: a Data-Secure Attack on a High-Velocity School
“I would say that I went from mildly disturbed at 7 a.m., to very concerned by 9 a.m., to sick to my stomach by noon because I was beginning to realize that this was not a one-day event, that we had a real problem.”
Experts like Callow say these attacks often come from outside the U.S. They can involve ransomware, where hackers lock data up and demand payment to “unlock” it. If districts don’t pay up, they will release the data publicly.
The attackers can includeZoombombing, where someone invades on a video call, often with pornographic or hateful images; denial of service attacks, which prevent or slow the use of networks; andPhishing, an attempt to access data through fraudulent emails.
In many cases, sensitive data about students and staff – including social security numbers, sexual assault records and discipline information – has been stolen. This information can be used to steal identities.
In the end, the attack closed Albuquerque Public Schools for two academic days. Staff and outside contractors worked through a long holiday weekend, and schools reopened six days later, once they realized no financial or health information had been compromised, and the district’s backup systems were intact.
Schools are “low hanging fruit,” says Noelle Ellerson Ng with the School Superintendents Association, which represents 9,000 district leaders across the country. She says schools are often a community’s single biggest employer, and school systems collect a lot of data.
“It’s been a pain, but a lot of hard work,” said a security consultant after the cyberattack on Atlanta Public Schools
That makes it very ripe. And then you layer on the fact that [the data] is so sensitive and so longitudinal and so personal, and there’s a huge vulnerability.”
“I said, ‘We’re not coming back until we know for sure it’s safe for kids,’ ” Elder recalls. ” ‘And I know that’s frustrating I know you want to go out, but I can’t tell you when that will be. “
The IT head for Atlanta Public Schools began to investigate when he was told that some staff hadn’t been paid. The employees who had clicked on the fake email had inadvertently left their payroll details in the hands of the hackers. Hackers went in, changed the bank details and employee salaries were rerouted.
“Some of those firms charge upwards of $400, $500 an hour. We took laptops from all of the people who had been compromised. We took the forensic data for the hard drives. It was just a lot of man hours and a lot of effort and a lot of consulting time.”
From there, the costs just piled up. They paid for a retainer agreement with a security firm, bought cyber insurance, installed additional software and hired specialized staff.
Source: One reason school cyberattacks are on the rise? Schools are easy targets for hackers
How bad are kids at school? The Minneapolis public school cybersecurity attack and how it can affect a surprising group of people: young public school students
Spending on cybersecurity would not be popular, he says. The schools often don’t know where their money should go.
Two of gravatt’s children have graduated from Minneapolis schools, and one is currently in middle school. She says it was only when she checked social media that she realized the true extent of the attack, and what it could mean for her kids.
Minneapolis Public Schools did not make any officials available for an interview. In a statement, the district said it sent written notice to over 105,000 people who may have been affected by the attack.
“This breach was actually really huge,” Gravatt says. “And it wasn’t just school records. It was health records, it was all sorts of things that should be privileged information that are now just out there floating around for anybody to buy.”
“As it turns out, the identity information of children is actually more valuable to them than that of adults,” says Doug Levin, director of the K12 Security Information eXchange, a nonprofit that helps protect school districts from cybersecurity risks.
He says that it can cause a lot of trouble since they don’t have their own resources. Parents don’t necessarily monitor their children’s credit and bad actors can easily open up bank accounts, rack up debt and apply for loans in a child’s name.
Source: Hackers are targeting a surprising group of people: young public school students
Black and Brown Students are More Vulnerable to Hackers: A Surprise Group of Students: Minneapolis Public Schools. Source: Cybersecurity Hackers are Targeting Young Public School Students
School systems’ educators can be a little bit like pack rats. There’s a lot of information that is collected over time, and it’s sometimes not deleted when no longer necessary.
Black and brown students are more vulnerable when a school system is hacked. The report states that black students in the state are eight times more likely to be suspended or expelled than white students.
“So that also means that more of their information is being input into the system,” says Marika Pfefferkorn. She co-founded the Twin Cities Innovation Alliance to educate and empower parents about how data collected about their children could be misused.
Say a student has a history of drug use that’s been successfully overcome; or they have disciplinary records that should have been expunged, but are now publicly available. That information could come up in college applications, job interviews and court hearings.
If the information about gender identity, immigration status, pregnancy and other related issues became public for specific individuals at a certain point in time, it could be life threatening.
Minneapolis Public Schools says it provided impacted individuals with free credit monitoring services for one year, as well as guidance on how to protect against identity theft and fraud.
If you suspect that someone is trying to steal your identity, you should place a fraud alert and security freeze on your credit file, contact national consumer reporting agencies, and seek the help of the Federal Trade Commission, state attorney general, and local law enforcement.
Source: Hackers are targeting a surprising group of people: young public school students
She’s scared of the unknown, but she’s worried about her kids’ safety and their future – a mom’s perspective
“It felt really overwhelming,” says a Minneapolis parent. She thinks it’s not realistic to think parents can do everything the school district suggests.
“I tried to just kind of be an ostrich about it, right? I was in the mindset of, well, if someone knocks on my door and tells me my child just got a new boat, I’ll show him where he is! And hopefully it won’t be hard to get the charges reversed.”
Her family moved to a different school district, but she says the whole experience was frightening. She worries about her children’s physical safety as a parent. Now, cybersafety is another thing she’s worried about.
Celeste Gravatt is concerned as well. She locked her kids’ credit so that no one could open accounts in their names. She’s concerned that her child’s health information will be made public. She still feels uneasy when she thinks about it.
“I’m not what I would call a tech savvy person. So I do wonder, like, if somebody were to obtain information that they shouldn’t have, would I even know till it was too late? I don’t know.”