Cyber criminals are targeting U.S. schools at an increasing rate after remote learning during the pandemic left them more vulnerable to hacks, and the risk shows no sign of abating as students and teachers head back to the classroom this month.
The number of publicly disclosed computer attacks on schools has exploded since 2016 to a record 408 in 2020, according to the K-12 Security Information Exchange, a nonprofit that tracks such incidents, and those figures are almost certainly an undercount because many go unreported. While schools are opening back up across the country for in-person instruction, many are expected to retain virtual learning as an option and that means more access points for potential intrusion with financial consequences for districts that are already facing increased costs to bring students back.
The growing frequency of hacks — averaging more than two per school day last year — has school officials worried about the potential for the theft of students’ identities and the added cost to insure against attacks and repair breaches. In Del Rio, Texas, the district comptroller mistakenly wired more than $2 million to a hacker’s account. About 170 miles (274 kilometers) away, a district in Live Oak, Texas, paid an undisclosed ransom amount to regain control of some computer platforms, and in Broward County, Florida, thousands of stolen files, including some confidential information, were published after district officials refused to pay a $40 million ransom, according to local reports.
“We see no evidence that this is abating,” said Keith Krueger, chief executive officer of the nonprofit Consortium for School Networking. “Criminals are having luck with it, they’re obviously having it with big cases we’re reading about every day. With back to school, we’re bracing ourselves for a real challenge this fall.”
Wall Street and the people who’ve lent some $600 billion to school districts in the bond market are increasingly concerned over the risk to their investments. Cash-constrained public schools are easy targets for hackers looking to extract data, extort money or simply sow chaos amid a broader surge in cyberattacks across industries. A mother even allegedly hacked a school to secure her daughter’s spot on homecoming court last year.
Schools’ defenses tend to be weaker with less in-house expertise than comparably sized businesses like banks or hospitals. And attacks are on the rise partly because they’re becoming cheaper to execute. “The going rate for a ransomware attack is about $100 on the dark web,” said Ryan Cloutier, president of SecurityStudio, a cybersecurity company.
The increase in the number of cyberattacks doesn’t account for the schools that never publicly report incidents, said Doug Levin, national director of K-12 Security Information Exchange. “It’s absolutely an undercount,” he said. “I would not be surprised if there were 10 to 20 times more incidents happening.”
Bond Payment
At San Felipe Del Rio Consolidated Independent School District in Texas, the comptroller received a fraudulent email from someone claiming to be a representative of the financial institution that the school made bi-annual bond payments to. The scheme worked, and in February 2020 district officials mistakenly wired more than $2 million dollars to the hacker’s account.
“Going to remote has really ramped up the level of cyberattacks,” said Daniel Barton, head of tax-exempt bonds at Mellon, which owns school district debt as part of $25.9 billion in municipal asset as of June 30. “I don’t see this problem going away soon. There are so many bad actors.”
The Judson Independent School District in Texas paid an undisclosed ransom amount to regain control of some of its computers. Broward County Public Schools officials in Florida were asked to pay a $40 million ransom, and when they refused, hackers in April published tens of thousands of stolen files.
Moody’s Investors Service says the rate of attacks on schools has “increased exponentially” since it began tracking cyberattacks in 2018. Remote learning during the pandemic as well as the overall increase in the use of devices and virtual classrooms has opened up opportunities for ransomware, phishing, denial of service and data breaches.
Identity Theft
When Deborah Ketring, chief information officer for Rockwood School District in Missouri, arrived to work on June 17, her colleagues noted that their computers looked off. Servers weren’t acting right, and staff couldn’t access their files. Ketring immediately knew it was a malware attack, and within 25 minutes she’d shut down the entire network, which powers technology across 35 buildings in the district with more than 21,000 students and 4,000 staff.
It’s the latest in a string of attempted hacks at Rockwood that have picked up over the last year and a half, many in the form of phishing schemes baiting staff to click links or impersonating district officials. The district is actively working with FBI officials and said “student and staff member information was present on the impacted systems,” though there is currently no evidence of misuse of that data, according to a press release.
One reason a hacker might target a school is to access personal identifying information of young children, laying the groundwork for identity theft years down the line. It could be a decade or longer before parents of a kindergarten student ever look at their child’s credit report and realize there’s a problem, Ketring said.
“We don’t think about their info as being high value, but it is,” she said.