A wide range of cybersecurity threats are sweeping through the education sector, sowing discord and costing public schools significant time, money, and trust.
Criminal hacking groups have terrorized and extorted school communities. Email scams have led to identify theft, fraudulent tax returns, and stolen public funds. Mistakes by district staff, third-party vendors, and other outside groups have left teacher and student information vulnerable.
Still, the country’s K-12 information-technology leaders are likely underestimating the dangers they face. Most don’t see cybersecurity threats such as ransomware attacks, phishing schemes, and data breaches as a significant problem, according to a new survey by the Consortium for School Networking, or CoSN, and the Education Week Research Center.
Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data. Just 15 percent say they have implemented a cybersecurity plan in their own district, the survey found.
That’s not good enough, said Keith Krueger, the CEO of CoSN, a professional association for K-12 technology leaders.
“The challenges are becoming more sophisticated, and everyone is at greater risk,” Krueger said.
Many experts agree.
In February, for example, the Internal Revenue Service issued an “urgent alert” about scammers targeting school districts, with the aim of fraudulently obtaining employees’ federal W-2 forms, payroll information, or other data that could be used to steal money and file false tax returns. Dozens of districts fell victim to such attacks.
And last month, the U.S. Department of Education issued a fresh advisory, warning of criminal hackers seeking to take advantage of schools’ weak security by stealing or locking up their sensitive data, then holding them for ransom. The announcement followed hacks of schools in Iowa, Montana, and Texas believed to be perpetrated by an overseas criminal group known as Dark Overlord.
All told, at least 235 K-12 cybersecurity-related incidents have been reported by media outlets since January 2016, said Douglas A. Levin, the CEO of consulting group EdTech Strategies. Far more have almost certainly gone unreported, he said.
The threat is many-sided.
While often overlooked, staff and students are frequent sources of cyber mayhem, Levin said—some because they’re out to cause harm, others because they don’t know any better.
School districts have also done a poor job of ensuring that outside companies provide adequate cyber protections. The CoSN/Education Week Research Center survey, for example, found that nearly 3 in 4 district IT leaders say they are not “adding security safeguards to vendor negotiations.”
And while the K-12 sector has spent heavily on digital devices, software, and bandwidth, investments in cybersecurity have not kept pace. That’s left many district IT departments understaffed and under-resourced—just as they’re being asked to fend off the types of attacks that have overcome such corporate titans as Equifax, Target, and Yahoo.
“In general, our data and IT systems are under assault,” Levin said. “It would be negligence on the part of K-12 leaders to believe that somehow schools don’t represent a big new target.”
To better understand the cybersecurity challenges facing schools, Education Week talked with school leaders in Arizona, Connecticut, Montana, and Texas about the cybersecurity incidents they faced, and how they responded.
‘The Threat Is Real’
Dark Overlord hackers attack Columbia Falls, Mont., schools
Steve Bradshaw was looking at another terrifying email message.
An overseas criminal hacking group known as Dark Overload had already compromised one of the servers used by the 2,100-student Columbia Falls, Mont., school district, where Bradshaw is the superintendent. The hackers had stolen reams of sensitive information, including special education and behavioral-health reports on children, and sent parents graphic messages threatening their children with violence. And in a seven-page ransom letter, the group had promised an “immense and unfathomable amount of financial and reputational harm” if Columbia Falls failed to meet its demand for $150,000 in a cryptocurrency known as Bitcoin.
Now, the hackers said they had breached the district’s internet-connected security-camera systems. The message said they had been watching the law-enforcement officials outside the school, accurately describing their location and movements.
For the first time in his 42-year career, Bradshaw said, he started sleeping with his shotgun.“It was a full-blown crisis,” he said.
The attacks spread to 32 schools throughout Montana’s Flathead Valley, affecting 15,000 students. The FBI got involved. Columbia Falls shut down for three days. When schools reopened, parents wanted to maintain armed patrols of the hallways.
After the threats of violence were deemed not credible, Bradshaw’s district decided not to pay the ransom. But two months after the attack, the threat of a massive release of sensitive student data still hangs over the area. And the Dark Overlord hackers have apparently branched out, claiming credit for similar cyberattacks of schools in Iowa and Texas.
Bradshaw attributes his district’s vulnerability to a number of factors. Not long before the hack occurred, he said, the Columbia Falls’ IT director had retired, and the 2½-person department had lost one of its part-time staff members.
During the prior years, Bradshaw said, the district had also neglected to upgrade its servers or purchase new cybersecurity software. The money instead went to buying digital devices for students, interactive white boards, virtual-reality science-lab software for classrooms, and better Wi-Fi access for schools.
“The tech came on fast,” Bradshaw said. “And there were a lot of things we didn’t really understand that you shouldn’t do anymore, like leaving access to our servers through outside entry points.”
That combination of more technology, new threats, and underinvestment in security is common inside many of the nation’s schools, said Keith Krueger, the CEO of the Consortium for School Networking.
Most districts don’t have a staff member dedicated specifically to cybersecurity, CoSN recently reported. And many district IT leaders have been slow to grasp the severity of the threat they face. Just 27 percent said ransomware attacks similar to what happened in Columbia Falls are a significant problem, according to results from a new CoSN/Education Week Research Center survey.
“K-12 is not a sector with huge technical capacity,” Krueger said. “The threat is real, and there needs to be more awareness.”
‘We Should Have Known Better’
Glastonbury, Conn., schools fall victim to phishing scam
In February, a new central-office employee in Connecticut’s 6,000-student Glastonbury schools received an email that appeared to be from one of her colleagues. The message requested that she send W-2 tax information for all the district’s 1,600 employees.
She obliged.
In August, however, federal prosecutors said the message was actually sent by Daniel Adekunle Ojo, a Nigerian citizen who had been living in North Carolina. In August, Ojo was charged with fraud and identify theft; authorities say he used a fake email address to steal Glastonbury school employees’ information, then file 122 false tax returns seeking a total of $596,897 in refunds. Ojo has pled not guilty to the charges.
Such scams are pervasive throughout K-12, said Douglas A. Levin of EdTech Strategies, who has been tracking cybersecurity incidents in schools for almost two years.
Among other districts where sensitive employee information was successfully phished: Manatee County, Fla., where hackers obtained the names, addresses, wages, and Social Security numbers of more than 7,700 school employees; and Atlanta, where scammers stole more than $56,000 from employees by successfully rerouting their direct-deposit payments.
Fake emails were also recently used to scam districts in Boulder, Colo., and Lake Ridge, Ill., out of hundreds of thousands of dollars in school construction funds.
Given such losses, Levin said, it’s surprising—and alarming—that fewer than half of district information-technology leaders describe phishing attacks as a significant problem.
One contributing factor: With so much recent attention and legislation around student-data privacy, many schools have been focused on identifying what information is collected from students and how it is used, rather than on how to keep safe the full scope of sensitive information on their networks.
That was the case in Glastonbury, Superintendent Alan Bookman said in an interview with Education Week.
But after falling victim to the phishing scam, Bookman said, his district has revamped training to provide outside guidance to administrative staff in departments such as human relations and payroll, where sensitive employee information is kept. Protocols around staff-email use are stricter. And all Glastonbury employees are now required to pick up duplicate tax forms in person.
“We should have known better,” Bookman said of the mistakes Glastonbury made.“We’re living in a different world.”
‘Nothing We Could Really Do’
Pflugerville, Texas, schools compromised by others’ missteps
Victor Valdez is laser-focused on cybersecurity.
As the chief technology officer for Texas’ 24,000-student Pflugerville Independent school district, Valdez said he faces cyber threats every day. One of his responses: “hiring a third-party company to come in and hack us, so we can find out where we’re vulnerable and clean things up.” Another strategy is to constantly monitor Pflugerville’s network, a tactic that last school year led Valdez’s team to identify and staunch a sudden, unexplained surge of traffic from Europe.
Still, such vigilance hasn’t been enough.
This past spring, an unknown number of the district’s employees—including Valdez himself—had their names and Social Security numbers compromised, as a result of a breach at the Texas Association of School Boards.
TASB is a statewide nonprofit group that, among other things, administers an unemployment-insurance program for Texas school employees. Spokeswoman Barbara Williams said TASB officials learned in May that personal information for more than half a million of those employees, in roughly 900 school districts across the state, had been posted publicly on the internet.
The association has spent months trying to notify everyone who may have been affected, offering a year of free credit monitoring and identify-theft resolution services, Williams said. The group has also stepped up its training, monitoring, and security procedures. There have been no reports that any of the compromised information was misused, according to Williams.
But for hundreds of other Texas districts, the breach is just another example of how even the best-laid K-12 cybersecurity plans can’t cover everything.
“It’s tough,” said Valdez. “Short of communicating with our employees, there’s nothing we could really do.”
Struggling to Maintain Public Trust
Tucson, Ariz., loses control of its website
“We don’t mess around when it comes to security!”
That’s the promise that Jupiter, Fla.-based company SchoolDesk, which creates and maintains websites for school districts, made in its $64,500-per-year contract with the 47,000-student Tucson, Ariz., schools.
Despite such assurances, though, hackers breached one of SchoolDesk’s servers earlier this month, temporarily redirecting roughly 800 school district websites around the country to Arabic-language messages in support of the militant Islamist group ISIS, as well as an image of former Iraqi dictator Saddam Hussein.
Tucson was one of the districts affected, leading to a spate of concerned news stories and social-media messages. A spokeswoman for the Tucson district said the site “was restored to normal in a matter of hours.” A statement from SchoolDesk said the company was cooperating with law enforcement to find the hackers responsible and “user data is secure and unaltered.”
Outside experts say the incident highlights a couple of the big cybersecurity challenges facing schools.
Sometimes, hackers mostly want to create mayhem, said Douglas A. Levin of EdTech Strategies. That’s what happened when outsiders recently took control of the official Twitter accounts of Florida’s Fort Lucie school district and Nevada’s Foothill High School, in Henderson.
And ensuring that vendors provide strong information-technology safeguards has proved particularly difficult for K-12 schools, said Missouri State Auditor Nicole Galloway, who has been examining school cybersecurity practices in her state.
Technology contracts should outline who is responsible for preventing and detecting breaches, and what steps will be taken if a problem occurs, Galloway said. But that’s not typically what happens, leaving schools open to considerable risk.
“If a school district is financially responsible for monitoring credit scores or hiring attorneys or forensic specialists, that’s money that doesn’t go into the classroom,” Galloway said. “And if a breach does happen, it can hurt parents’ perception of how their district is handling technology.”
