School & District Management

Schools Struggle to Keep Pace With Hackings, Other Cyber Threats

By Benjamin Herold — November 28, 2017 10 min read
Superintendent Steve Bradshaw started sleeping with a shotgun following a disturbing hacking incident involving his district in Columbia Falls, Mont.
  • Save to favorites
  • Print

A wide range of cybersecurity threats are sweeping through the education sector, sowing discord and costing public schools significant time, money, and trust.

Criminal hacking groups have terrorized and extorted school communities. Email scams have led to identify theft, fraudulent tax returns, and stolen public funds. Mistakes by district staff, third-party vendors, and other outside groups have left teacher and student information vulnerable.

Still, the country’s K-12 information-technology leaders are likely underestimating the dangers they face. Most don’t see cybersecurity threats such as ransomware attacks, phishing schemes, and data breaches as a significant problem, according to a new survey by the Consortium for School Networking, or CoSN, and the Education Week Research Center.

Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data. Just 15 percent say they have implemented a cybersecurity plan in their own district, the survey found.

That’s not good enough, said Keith Krueger, the CEO of CoSN, a professional association for K-12 technology leaders.

“The challenges are becoming more sophisticated, and everyone is at greater risk,” Krueger said.

Many experts agree.

In February, for example, the Internal Revenue Service issued an “urgent alert” about scammers targeting school districts, with the aim of fraudulently obtaining employees’ federal W-2 forms, payroll information, or other data that could be used to steal money and file false tax returns. Dozens of districts fell victim to such attacks.

And last month, the U.S. Department of Education issued a fresh advisory, warning of criminal hackers seeking to take advantage of schools’ weak security by stealing or locking up their sensitive data, then holding them for ransom. The announcement followed hacks of schools in Iowa, Montana, and Texas believed to be perpetrated by an overseas criminal group known as Dark Overlord.

All told, at least 235 K-12 cybersecurity-related incidents have been reported by media outlets since January 2016, said Douglas A. Levin, the CEO of consulting group EdTech Strategies. Far more have almost certainly gone unreported, he said.

The threat is many-sided.

While often overlooked, staff and students are frequent sources of cyber mayhem, Levin said—some because they’re out to cause harm, others because they don’t know any better.

School districts have also done a poor job of ensuring that outside companies provide adequate cyber protections. The CoSN/Education Week Research Center survey, for example, found that nearly 3 in 4 district IT leaders say they are not “adding security safeguards to vendor negotiations.”

And while the K-12 sector has spent heavily on digital devices, software, and bandwidth, investments in cybersecurity have not kept pace. That’s left many district IT departments understaffed and under-resourced—just as they’re being asked to fend off the types of attacks that have overcome such corporate titans as Equifax, Target, and Yahoo.

“In general, our data and IT systems are under assault,” Levin said. “It would be negligence on the part of K-12 leaders to believe that somehow schools don’t represent a big new target.”

To better understand the cybersecurity challenges facing schools, Education Week talked with school leaders in Arizona, Connecticut, Montana, and Texas about the cybersecurity incidents they faced, and how they responded.

‘The Threat Is Real’

Dark Overlord hackers attack Columbia Falls, Mont., schools

Steve Bradshaw was looking at another terrifying email message.

An overseas criminal hacking group known as Dark Overload had already compromised one of the servers used by the 2,100-student Columbia Falls, Mont., school district, where Bradshaw is the superintendent. The hackers had stolen reams of sensitive information, including special education and behavioral-health reports on children, and sent parents graphic messages threatening their children with violence. And in a seven-page ransom letter, the group had promised an “immense and unfathomable amount of financial and reputational harm” if Columbia Falls failed to meet its demand for $150,000 in a cryptocurrency known as Bitcoin.

Steve Bradshaw, the superintendent of the Columbia Falls, Mont., schools, attributes his district’s cyber vulnerability to turnover in IT leadership, and decisions not to upgrade its servers and invest in new cyber security software.

Now, the hackers said they had breached the district’s internet-connected security-camera systems. The message said they had been watching the law-enforcement officials outside the school, accurately describing their location and movements.

For the first time in his 42-year career, Bradshaw said, he started sleeping with his shotgun.“It was a full-blown crisis,” he said.

The attacks spread to 32 schools throughout Montana’s Flathead Valley, affecting 15,000 students. The FBI got involved. Columbia Falls shut down for three days. When schools reopened, parents wanted to maintain armed patrols of the hallways.

After the threats of violence were deemed not credible, Bradshaw’s district decided not to pay the ransom. But two months after the attack, the threat of a massive release of sensitive student data still hangs over the area. And the Dark Overlord hackers have apparently branched out, claiming credit for similar cyberattacks of schools in Iowa and Texas.

Bradshaw attributes his district’s vulnerability to a number of factors. Not long before the hack occurred, he said, the Columbia Falls’ IT director had retired, and the 2½-person department had lost one of its part-time staff members.

During the prior years, Bradshaw said, the district had also neglected to upgrade its servers or purchase new cybersecurity software. The money instead went to buying digital devices for students, interactive white boards, virtual-reality science-lab software for classrooms, and better Wi-Fi access for schools.

“The tech came on fast,” Bradshaw said. “And there were a lot of things we didn’t really understand that you shouldn’t do anymore, like leaving access to our servers through outside entry points.”

That combination of more technology, new threats, and underinvestment in security is common inside many of the nation’s schools, said Keith Krueger, the CEO of the Consortium for School Networking.

Most districts don’t have a staff member dedicated specifically to cybersecurity, CoSN recently reported. And many district IT leaders have been slow to grasp the severity of the threat they face. Just 27 percent said ransomware attacks similar to what happened in Columbia Falls are a significant problem, according to results from a new CoSN/Education Week Research Center survey.

“K-12 is not a sector with huge technical capacity,” Krueger said. “The threat is real, and there needs to be more awareness.”

‘We Should Have Known Better’

Glastonbury, Conn., schools fall victim to phishing scam

In February, a new central-office employee in Connecticut’s 6,000-student Glastonbury schools received an email that appeared to be from one of her colleagues. The message requested that she send W-2 tax information for all the district’s 1,600 employees.

She obliged.

In August, however, federal prosecutors said the message was actually sent by Daniel Adekunle Ojo, a Nigerian citizen who had been living in North Carolina. In August, Ojo was charged with fraud and identify theft; authorities say he used a fake email address to steal Glastonbury school employees’ information, then file 122 false tax returns seeking a total of $596,897 in refunds. Ojo has pled not guilty to the charges.

Such scams are pervasive throughout K-12, said Douglas A. Levin of EdTech Strategies, who has been tracking cybersecurity incidents in schools for almost two years.

Among other districts where sensitive employee information was successfully phished: Manatee County, Fla., where hackers obtained the names, addresses, wages, and Social Security numbers of more than 7,700 school employees; and Atlanta, where scammers stole more than $56,000 from employees by successfully rerouting their direct-deposit payments.

Fake emails were also recently used to scam districts in Boulder, Colo., and Lake Ridge, Ill., out of hundreds of thousands of dollars in school construction funds.

Given such losses, Levin said, it’s surprising—and alarming—that fewer than half of district information-technology leaders describe phishing attacks as a significant problem.

One contributing factor: With so much recent attention and legislation around student-data privacy, many schools have been focused on identifying what information is collected from students and how it is used, rather than on how to keep safe the full scope of sensitive information on their networks.

That was the case in Glastonbury, Superintendent Alan Bookman said in an interview with Education Week.

But after falling victim to the phishing scam, Bookman said, his district has revamped training to provide outside guidance to administrative staff in departments such as human relations and payroll, where sensitive employee information is kept. Protocols around staff-email use are stricter. And all Glastonbury employees are now required to pick up duplicate tax forms in person.

“We should have known better,” Bookman said of the mistakes Glastonbury made.“We’re living in a different world.”

‘Nothing We Could Really Do’

Pflugerville, Texas, schools compromised by others’ missteps

Victor Valdez is laser-focused on cybersecurity.

As the chief technology officer for Texas’ 24,000-student Pflugerville Independent school district, Valdez said he faces cyber threats every day. One of his responses: “hiring a third-party company to come in and hack us, so we can find out where we’re vulnerable and clean things up.” Another strategy is to constantly monitor Pflugerville’s network, a tactic that last school year led Valdez’s team to identify and staunch a sudden, unexplained surge of traffic from Europe.

Still, such vigilance hasn’t been enough.

This past spring, an unknown number of the district’s employees—including Valdez himself—had their names and Social Security numbers compromised, as a result of a breach at the Texas Association of School Boards.

TASB is a statewide nonprofit group that, among other things, administers an unemployment-insurance program for Texas school employees. Spokeswoman Barbara Williams said TASB officials learned in May that personal information for more than half a million of those employees, in roughly 900 school districts across the state, had been posted publicly on the internet.

The association has spent months trying to notify everyone who may have been affected, offering a year of free credit monitoring and identify-theft resolution services, Williams said. The group has also stepped up its training, monitoring, and security procedures. There have been no reports that any of the compromised information was misused, according to Williams.

But for hundreds of other Texas districts, the breach is just another example of how even the best-laid K-12 cybersecurity plans can’t cover everything.

“It’s tough,” said Valdez. “Short of communicating with our employees, there’s nothing we could really do.”

Struggling to Maintain Public Trust

Tucson, Ariz., loses control of its website

“We don’t mess around when it comes to security!”

That’s the promise that Jupiter, Fla.-based company SchoolDesk, which creates and maintains websites for school districts, made in its $64,500-per-year contract with the 47,000-student Tucson, Ariz., schools.

Despite such assurances, though, hackers breached one of SchoolDesk’s servers earlier this month, temporarily redirecting roughly 800 school district websites around the country to Arabic-language messages in support of the militant Islamist group ISIS, as well as an image of former Iraqi dictator Saddam Hussein.

Tucson was one of the districts affected, leading to a spate of concerned news stories and social-media messages. A spokeswoman for the Tucson district said the site “was restored to normal in a matter of hours.” A statement from SchoolDesk said the company was cooperating with law enforcement to find the hackers responsible and “user data is secure and unaltered.”

Outside experts say the incident highlights a couple of the big cybersecurity challenges facing schools.

Sometimes, hackers mostly want to create mayhem, said Douglas A. Levin of EdTech Strategies. That’s what happened when outsiders recently took control of the official Twitter accounts of Florida’s Fort Lucie school district and Nevada’s Foothill High School, in Henderson.

And ensuring that vendors provide strong information-technology safeguards has proved particularly difficult for K-12 schools, said Missouri State Auditor Nicole Galloway, who has been examining school cybersecurity practices in her state.

Technology contracts should outline who is responsible for preventing and detecting breaches, and what steps will be taken if a problem occurs, Galloway said. But that’s not typically what happens, leaving schools open to considerable risk.

“If a school district is financially responsible for monitoring credit scores or hiring attorneys or forensic specialists, that’s money that doesn’t go into the classroom,” Galloway said. “And if a breach does happen, it can hurt parents’ perception of how their district is handling technology.”

A version of this article appeared in the November 29, 2017 edition of Education Week as Schools Struggle With Hacking, Other Cyber Threats

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School & District Management The Eclipse Is Great for Learning. But It's Tough on School Logistics
A total solar eclipse will cross a large swath of the country on April 8, sparking tough management choices for leaders of the districts in its path.
5 min read
A woman and stands outside with her arm on the back of a boy as they look up at the sky while wearing special paper glasses made for viewing a solar eclipse.
Jackie Johnson and her son Bradley Johnson, 9, watch a partial solar eclipse at the Frost Science Museum on Oct. 14, 2023, in downtown Miami. In 2024, some districts are planning to delay or cancel school on the day of a total eclipse, out of safety concerns.
Matias J. Ocner/Miami Herald via AP
School & District Management Opinion A Good Principal Knows When It's Time to Leave
I didn’t leave my job because of burnout; I stepped away from being a school leader because it was in everybody’s best interest.
Matthew Ebert
4 min read
Conceptual illustration of someone handing off a baton to someone else over a completed puzzle.
Vanessa Solis/Education Week via Canva
School & District Management Principals Tell Politicians on Capitol Hill: We’re Burning Out
Students' mental health top principals' growing list of concerns.
6 min read
People walk outside the U.S Capitol building in Washington, June 9, 2022.
Visitors walk outside the U.S Capitol building in Washington on June 9, 2022.
Patrick Semansky/AP
School & District Management Women Superintendents Experience Bias on the Climb to Leadership
Interpersonal slights and inequities make it hard for women to land the job and stay in it.
3 min read
Woman stands in front of a staircase in different colors. She is about to walk up the stairs. Concept of standing in front of a challenge and finding the right solution and courage to move on.
mikkelwilliam/E+