A wide range of cybersecurity threats are sweeping through the education sector, sowing discord and costing public schools significant time, money, and trust.
Criminal hacking groups have terrorized and extorted school communities. Email scams have led to identify theft, fraudulent tax returns, and stolen public funds. Mistakes by district staff, third-party vendors, and other outside groups have left teacher and student information vulnerable.
Still, the country鈥檚 K-12 information-technology leaders are likely underestimating the dangers they face. Most don鈥檛 see cybersecurity threats such as ransomware attacks, phishing schemes, and data breaches as a significant problem, according to a new survey by the Consortium for School Networking, or CoSN, and the 91制片厂视频 Week Research Center.
Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data. Just 15 percent say they have implemented a cybersecurity plan in their own district, the survey found.
That鈥檚 not good enough, said Keith Krueger, the CEO of CoSN, a professional association for K-12 technology leaders.
鈥淭he challenges are becoming more sophisticated, and everyone is at greater risk,鈥 Krueger said.
Many experts agree.
In February, for example, the Internal Revenue Service issued an 鈥渦rgent alert鈥 about scammers targeting school districts, with the aim of fraudulently obtaining employees鈥 federal W-2 forms, payroll information, or other data that could be used to steal money and file false tax returns. Dozens of districts fell victim to such attacks.
And last month, the U.S. Department of 91制片厂视频 issued a fresh advisory, warning of criminal hackers seeking to take advantage of schools鈥 weak security by stealing or locking up their sensitive data, then holding them for ransom. The announcement followed hacks of schools in Iowa, Montana, and Texas believed to be perpetrated by an overseas criminal group known as Dark Overlord.
All told, at least 235 K-12 cybersecurity-related incidents have been reported by media outlets since January 2016, said Douglas A. Levin, the CEO of consulting group EdTech Strategies. Far more have almost certainly gone unreported, he said.
The threat is many-sided.
While often overlooked, staff and students are frequent sources of cyber mayhem, Levin said鈥攕ome because they鈥檙e out to cause harm, others because they don鈥檛 know any better.
School districts have also done a poor job of ensuring that outside companies provide adequate cyber protections. The CoSN/91制片厂视频 Week Research Center survey, for example, found that nearly 3 in 4 district IT leaders say they are not 鈥渁dding security safeguards to vendor negotiations.鈥
And while the K-12 sector has spent heavily on digital devices, software, and bandwidth, investments in cybersecurity have not kept pace. That鈥檚 left many district IT departments understaffed and under-resourced鈥攋ust as they鈥檙e being asked to fend off the types of attacks that have overcome such corporate titans as Equifax, Target, and Yahoo.
鈥淚n general, our data and IT systems are under assault,鈥 Levin said. 鈥淚t would be negligence on the part of K-12 leaders to believe that somehow schools don鈥檛 represent a big new target.鈥
To better understand the cybersecurity challenges facing schools, 91制片厂视频 Week talked with school leaders in Arizona, Connecticut, Montana, and Texas about the cybersecurity incidents they faced, and how they responded.
鈥楾he Threat Is Real鈥
Dark Overlord hackers attack Columbia Falls, Mont., schools
Steve Bradshaw was looking at another terrifying email message.
An overseas criminal hacking group known as Dark Overload had already compromised one of the servers used by the 2,100-student Columbia Falls, Mont., school district, where Bradshaw is the superintendent. The hackers had stolen reams of sensitive information, including special education and behavioral-health reports on children, and sent parents graphic messages threatening their children with violence. And in a seven-page ransom letter, the group had promised an 鈥渋mmense and unfathomable amount of financial and reputational harm鈥 if Columbia Falls failed to meet its demand for $150,000 in a cryptocurrency known as Bitcoin.
Now, the hackers said they had breached the district鈥檚 internet-connected security-camera systems. The message said they had been watching the law-enforcement officials outside the school, accurately describing their location and movements.
For the first time in his 42-year career, Bradshaw said, he started sleeping with his shotgun.鈥淚t was a full-blown crisis,鈥 he said.
The attacks spread to 32 schools throughout Montana鈥檚 Flathead Valley, affecting 15,000 students. The FBI got involved. Columbia Falls shut down for three days. When schools reopened, parents wanted to maintain armed patrols of the hallways.
After the threats of violence were deemed not credible, Bradshaw鈥檚 district decided not to pay the ransom. But two months after the attack, the threat of a massive release of sensitive student data still hangs over the area. And the Dark Overlord hackers have apparently branched out, claiming credit for similar cyberattacks of schools in Iowa and Texas.
Bradshaw attributes his district鈥檚 vulnerability to a number of factors. Not long before the hack occurred, he said, the Columbia Falls鈥 IT director had retired, and the 2陆-person department had lost one of its part-time staff members.
During the prior years, Bradshaw said, the district had also neglected to upgrade its servers or purchase new cybersecurity software. The money instead went to buying digital devices for students, interactive white boards, virtual-reality science-lab software for classrooms, and better Wi-Fi access for schools.
鈥淭he tech came on fast,鈥 Bradshaw said. 鈥淎nd there were a lot of things we didn鈥檛 really understand that you shouldn鈥檛 do anymore, like leaving access to our servers through outside entry points.鈥
That combination of more technology, new threats, and underinvestment in security is common inside many of the nation鈥檚 schools, said Keith Krueger, the CEO of the Consortium for School Networking.
Most districts don鈥檛 have a staff member dedicated specifically to cybersecurity, CoSN recently reported. And many district IT leaders have been slow to grasp the severity of the threat they face. Just 27 percent said ransomware attacks similar to what happened in Columbia Falls are a significant problem, according to results from a new CoSN/91制片厂视频 Week Research Center survey.
鈥淜-12 is not a sector with huge technical capacity,鈥 Krueger said. 鈥淭he threat is real, and there needs to be more awareness.鈥
鈥榃e Should Have Known Better鈥
Glastonbury, Conn., schools fall victim to phishing scam
In February, a new central-office employee in Connecticut鈥檚 6,000-student Glastonbury schools received an email that appeared to be from one of her colleagues. The message requested that she send W-2 tax information for all the district鈥檚 1,600 employees.
She obliged.
In August, however, federal prosecutors said the message was actually sent by Daniel Adekunle Ojo, a Nigerian citizen who had been living in North Carolina. In August, Ojo was charged with fraud and identify theft; authorities say he used a fake email address to steal Glastonbury school employees鈥 information, then file 122 false tax returns seeking a total of $596,897 in refunds. Ojo has pled not guilty to the charges.
Such scams are pervasive throughout K-12, said Douglas A. Levin of EdTech Strategies, who has been tracking cybersecurity incidents in schools for almost two years.
Among other districts where sensitive employee information was successfully phished: Manatee County, Fla., where hackers obtained the names, addresses, wages, and Social Security numbers of more than 7,700 school employees; and Atlanta, where scammers stole more than $56,000 from employees by successfully rerouting their direct-deposit payments.
Fake emails were also recently used to scam districts in Boulder, Colo., and Lake Ridge, Ill., out of hundreds of thousands of dollars in school construction funds.
Given such losses, Levin said, it鈥檚 surprising鈥攁nd alarming鈥攖hat fewer than half of district information-technology leaders describe phishing attacks as a significant problem.
One contributing factor: With so much recent attention and legislation around student-data privacy, many schools have been focused on identifying what information is collected from students and how it is used, rather than on how to keep safe the full scope of sensitive information on their networks.
That was the case in Glastonbury, Superintendent Alan Bookman said in an interview with 91制片厂视频 Week.
But after falling victim to the phishing scam, Bookman said, his district has revamped training to provide outside guidance to administrative staff in departments such as human relations and payroll, where sensitive employee information is kept. Protocols around staff-email use are stricter. And all Glastonbury employees are now required to pick up duplicate tax forms in person.
鈥淲e should have known better,鈥 Bookman said of the mistakes Glastonbury made.鈥淲e鈥檙e living in a different world.鈥
鈥楴othing We Could Really Do鈥
Pflugerville, Texas, schools compromised by others鈥 missteps
Victor Valdez is laser-focused on cybersecurity.
As the chief technology officer for Texas鈥 24,000-student Pflugerville Independent school district, Valdez said he faces cyber threats every day. One of his responses: 鈥渉iring a third-party company to come in and hack us, so we can find out where we鈥檙e vulnerable and clean things up.鈥 Another strategy is to constantly monitor Pflugerville鈥檚 network, a tactic that last school year led Valdez鈥檚 team to identify and staunch a sudden, unexplained surge of traffic from Europe.
Still, such vigilance hasn鈥檛 been enough.
This past spring, an unknown number of the district鈥檚 employees鈥攊ncluding Valdez himself鈥攈ad their names and Social Security numbers compromised, as a result of a breach at the Texas Association of School Boards.
TASB is a statewide nonprofit group that, among other things, administers an unemployment-insurance program for Texas school employees. Spokeswoman Barbara Williams said TASB officials learned in May that personal information for more than half a million of those employees, in roughly 900 school districts across the state, had been posted publicly on the internet.
The association has spent months trying to notify everyone who may have been affected, offering a year of free credit monitoring and identify-theft resolution services, Williams said. The group has also stepped up its training, monitoring, and security procedures. There have been no reports that any of the compromised information was misused, according to Williams.
But for hundreds of other Texas districts, the breach is just another example of how even the best-laid K-12 cybersecurity plans can鈥檛 cover everything.
鈥淚t鈥檚 tough,鈥 said Valdez. 鈥淪hort of communicating with our employees, there鈥檚 nothing we could really do.鈥
Struggling to Maintain Public Trust
Tucson, Ariz., loses control of its website
鈥淲e don鈥檛 mess around when it comes to security!鈥
That鈥檚 the promise that Jupiter, Fla.-based company SchoolDesk, which creates and maintains websites for school districts, made in its $64,500-per-year contract with the 47,000-student Tucson, Ariz., schools.
Despite such assurances, though, hackers breached one of SchoolDesk鈥檚 servers earlier this month, temporarily redirecting roughly 800 school district websites around the country to Arabic-language messages in support of the militant Islamist group ISIS, as well as an image of former Iraqi dictator Saddam Hussein.
Tucson was one of the districts affected, leading to a spate of concerned news stories and social-media messages. A spokeswoman for the Tucson district said the site 鈥渨as restored to normal in a matter of hours.鈥 A statement from SchoolDesk said the company was cooperating with law enforcement to find the hackers responsible and 鈥渦ser data is secure and unaltered.鈥
Outside experts say the incident highlights a couple of the big cybersecurity challenges facing schools.
Sometimes, hackers mostly want to create mayhem, said Douglas A. Levin of EdTech Strategies. That鈥檚 what happened when outsiders recently took control of the official Twitter accounts of Florida鈥檚 Fort Lucie school district and Nevada鈥檚 Foothill High School, in Henderson.
And ensuring that vendors provide strong information-technology safeguards has proved particularly difficult for K-12 schools, said Missouri State Auditor Nicole Galloway, who has been examining school cybersecurity practices in her state.
Technology contracts should outline who is responsible for preventing and detecting breaches, and what steps will be taken if a problem occurs, Galloway said. But that鈥檚 not typically what happens, leaving schools open to considerable risk.
鈥淚f a school district is financially responsible for monitoring credit scores or hiring attorneys or forensic specialists, that鈥檚 money that doesn鈥檛 go into the classroom,鈥 Galloway said. 鈥淎nd if a breach does happen, it can hurt parents鈥 perception of how their district is handling technology.鈥
