During an early morning staff meeting at a middle school in New Mexico’s largest city, teachers got their first inkling of a widespread technology problem.
There were shout-outs for a new custodian’s hard work on the video, as well as the usual announcements from administrators and the union rep.
However, there were hints of a looming crisis in the chat. Nobody could access attendance records, and no one could view class rosters or grades.
Administrators in Albuquerque later confirmed that the outage that prevented access to the district’s student database — which also includes emergency contacts and lists of which adults are authorized to pick up which children — was caused by a ransomware attack.
“I didn’t realize how important it was until I couldn’t use it,” said Sarah Hager, an art teacher at Cleveland Middle School.
Cyberattacks like the one that canceled classes for two days in Albuquerque’s largest school district have become a growing threat to schools in the United States, with several high-profile incidents reported in the last year. And the coronavirus pandemic has exacerbated their effects: more money has been demanded, and more schools have had to close as they scramble to recover data or wipe all laptops manually.
“Incidents have become both more frequent and more significant in pretty much any way you cut it,” said Doug Levin, director of the K12 Security Information Exchange, a Virginia-based nonprofit that assists schools in defending against cybersecurity risk.
Because most schools are not required to publicly report cyberattacks, precise data is difficult to obtain. However, experts believe that public school systems, which frequently have limited budgets for cybersecurity expertise, have become an appealing target for ransomware gangs.
The pandemic has also forced schools to shift toward virtual learning, increasing their reliance on technology and making them more vulnerable to cyber-extortion. School districts in Baltimore County and Miami-Dade County, as well as districts in New Jersey, Wisconsin, and elsewhere, have had their instruction disrupted.
Since 2016, Levin’s group has tracked over 1,200 cyber security incidents at public school districts across the country. They included 209 ransomware attacks, in which hackers encrypt data and charge a fee to unlock it; 53 “denial of service” attacks, in which attackers sabotage or slow a network by faking server requests; 156 “Zoombombing” incidents, in which an unauthorized person intrudes on a video call; and more than 110 phishing attacks, in which a user is tricked into allowing a hacker into their network by a misleading
Recent attacks have also occurred at a time when schools are dealing with a slew of other pandemic-related issues. Teachers become ill, and there are no substitutes available to cover them. Where strict virus testing protocols exist, there aren’t always tests or people to administer them.
An attack this month on third-party software vendor Illuminate Education in New York City did not result in class cancellations, but teachers across the city were unable to access grades. According to local media, the outage added to the stress for educators who were already juggling instruction, enforcing COVID-19 protocols, and covering for colleagues who were sick or in quarantine.
According to Albuquerque Superintendent Scott Elder, getting all students and staff online during the pandemic created more opportunities for hackers to gain access to the district’s system. He cited this as a factor in the Jan. 12 ransomware attack, which resulted in the cancellation of classes for approximately 75,000 students.
The cancellations, dubbed “cyber snow days” by Elder, provided technicians with a five-day window to reset the databases over the holiday weekend.
According to Elder, there is no evidence that hackers obtained student information. He would not say whether the district paid the ransom, but he did say there would be a “public process” if it did.
The cyberattack, according to Hager, the art teacher, increased stress on campus in ways that parents did not notice.
Fire drills were canceled due to malfunctioning fire alarms. The intercoms had stopped working.
As positive test results came in, nurses couldn’t figure out which kids were where, according to Hager. “So there could have been students on campus who were sick.” It also appears that the hack erased a few days’ worth of attendance records and grades.
Edupoint, the vendor for Albuquerque’s Synergy student information database, declined to comment.
Many schools choose to keep attacks under wraps or release as little information as possible in order to avoid exposing additional flaws in their security systems.
“It’s very difficult for school districts to learn from one another because they’re really not supposed to talk about it because you might share vulnerabilities,” Elder explained.
The FBI issued a warning last year about a group called PYSA, or “Protect Your System, Amigo,” saying it was seeing an increase in PYSA attacks on schools, colleges, and seminaries. Conti, one of the nation’s largest ransomware gangs, demanded $40 million from Broward County Public Schools last year.
The majority are Russian-speaking groups based in Eastern Europe, where they are protected by tolerant governments. If they are not paid, some will post files on the dark web, including highly sensitive information.
While attacks on larger school districts get more attention, ransomware gangs targeted smaller school districts in 2021 than in 2020, according to Brett Callow, a threat analyst at Emsisoft. He believes this could indicate that larger districts are increasing their cybersecurity spending while smaller districts, which have less money, remain more vulnerable.
A ransomware attack shut down the Synergy student information system of the 1,285-student district of Truth or Consequences, south of Albuquerque, a few days after Christmas. Officials there compared it to being robbed in their home.
“It’s just that sense of helplessness, of being perplexed as to why someone would do something like this because, at the end of the day, it’s taking something away from our children. And that, to me, is a disgusting way to try to get money “Channell Segura, the superintendent, stated.
The school did not have to cancel classes because the attack occurred during the break, but the network, including keyless entry locks on school building doors, is still down. Teachers are still carrying around the physical keys they had to find at the start of the year, according to Segura.
President Joe Biden signed the K-12 Cybersecurity Act in October, which directs the federal cyber security agency to make recommendations on how to help school districts better protect themselves.
New Mexico lawmakers have been slow to expand internet usage in the state, let alone support cyber security education in schools. Last week, state representatives introduced legislation that would provide the state education department with $45 million to develop a cybersecurity program by 2027.
Ideas for preventing future hacks and recovering from existing ones typically necessitate more work from teachers.
Parents argued on Facebook in the days after the Albuquerque attack about why schools couldn’t simply switch to pen and paper for things like attendance and grades.
Hager claimed to have heard the criticism from her mother, a retired teacher.
“I told her, ‘Mom, you can only take attendance on paper if you’ve already printed out your roster,'” Hager explained.
Teachers could also keep duplicate paper copies of all records, but this would add to the clerical work that already burdens them.
“These systems should work,” Hager says, in an era when administrators are increasingly requiring teachers to record everything digitally.