School & District Management

Schools Struggle to Keep Pace With Hackings, Other Cyber Threats

By Benjamin Herold — November 28, 2017 10 min read
Superintendent Steve Bradshaw started sleeping with a shotgun following a disturbing hacking incident involving his district in Columbia Falls, Mont.

A wide range of cybersecurity threats are sweeping through the education sector, sowing discord and costing public schools significant time, money, and trust.

Criminal hacking groups have terrorized and extorted school communities. Email scams have led to identify theft, fraudulent tax returns, and stolen public funds. Mistakes by district staff, third-party vendors, and other outside groups have left teacher and student information vulnerable.

Still, the country’s K-12 information-technology leaders are likely underestimating the dangers they face. Most don’t see cybersecurity threats such as ransomware attacks, phishing schemes, and data breaches as a significant problem, according to a new survey by the Consortium for School Networking, or CoSN, and the Education Week Research Center.

Even more troubling, many school technology leaders are failing to take basic steps to secure their networks and data. Just 15 percent say they have implemented a cybersecurity plan in their own district, the survey found.

That’s not good enough, said Keith Krueger, the CEO of CoSN, a professional association for K-12 technology leaders.

“The challenges are becoming more sophisticated, and everyone is at greater risk,” Krueger said.

Many experts agree.

In February, for example, the Internal Revenue Service issued an “urgent alert” about scammers targeting school districts, with the aim of fraudulently obtaining employees’ federal W-2 forms, payroll information, or other data that could be used to steal money and file false tax returns. Dozens of districts fell victim to such attacks.

And last month, the U.S. Department of Education issued a fresh advisory, warning of criminal hackers seeking to take advantage of schools’ weak security by stealing or locking up their sensitive data, then holding them for ransom. The announcement followed hacks of schools in Iowa, Montana, and Texas believed to be perpetrated by an overseas criminal group known as Dark Overlord.

All told, at least 235 K-12 cybersecurity-related incidents have been reported by media outlets since January 2016, said Douglas A. Levin, the CEO of consulting group EdTech Strategies. Far more have almost certainly gone unreported, he said.

The threat is many-sided.

While often overlooked, staff and students are frequent sources of cyber mayhem, Levin said—some because they’re out to cause harm, others because they don’t know any better.

School districts have also done a poor job of ensuring that outside companies provide adequate cyber protections. The CoSN/Education Week Research Center survey, for example, found that nearly 3 in 4 district IT leaders say they are not “adding security safeguards to vendor negotiations.”

And while the K-12 sector has spent heavily on digital devices, software, and bandwidth, investments in cybersecurity have not kept pace. That’s left many district IT departments understaffed and under-resourced—just as they’re being asked to fend off the types of attacks that have overcome such corporate titans as Equifax, Target, and Yahoo.

“In general, our data and IT systems are under assault,” Levin said. “It would be negligence on the part of K-12 leaders to believe that somehow schools don’t represent a big new target.”

To better understand the cybersecurity challenges facing schools, Education Week talked with school leaders in Arizona, Connecticut, Montana, and Texas about the cybersecurity incidents they faced, and how they responded.

‘The Threat Is Real’

Dark Overlord hackers attack Columbia Falls, Mont., schools

Steve Bradshaw was looking at another terrifying email message.

An overseas criminal hacking group known as Dark Overload had already compromised one of the servers used by the 2,100-student Columbia Falls, Mont., school district, where Bradshaw is the superintendent. The hackers had stolen reams of sensitive information, including special education and behavioral-health reports on children, and sent parents graphic messages threatening their children with violence. And in a seven-page ransom letter, the group had promised an “immense and unfathomable amount of financial and reputational harm” if Columbia Falls failed to meet its demand for $150,000 in a cryptocurrency known as Bitcoin.

Steve Bradshaw, the superintendent of the Columbia Falls, Mont., schools, attributes his district’s cyber vulnerability to turnover in IT leadership, and decisions not to upgrade its servers and invest in new cyber security software.

Now, the hackers said they had breached the district’s internet-connected security-camera systems. The message said they had been watching the law-enforcement officials outside the school, accurately describing their location and movements.

For the first time in his 42-year career, Bradshaw said, he started sleeping with his shotgun.“It was a full-blown crisis,” he said.

The attacks spread to 32 schools throughout Montana’s Flathead Valley, affecting 15,000 students. The FBI got involved. Columbia Falls shut down for three days. When schools reopened, parents wanted to maintain armed patrols of the hallways.

After the threats of violence were deemed not credible, Bradshaw’s district decided not to pay the ransom. But two months after the attack, the threat of a massive release of sensitive student data still hangs over the area. And the Dark Overlord hackers have apparently branched out, claiming credit for similar cyberattacks of schools in Iowa and Texas.

Bradshaw attributes his district’s vulnerability to a number of factors. Not long before the hack occurred, he said, the Columbia Falls’ IT director had retired, and the 2½-person department had lost one of its part-time staff members.

During the prior years, Bradshaw said, the district had also neglected to upgrade its servers or purchase new cybersecurity software. The money instead went to buying digital devices for students, interactive white boards, virtual-reality science-lab software for classrooms, and better Wi-Fi access for schools.

“The tech came on fast,” Bradshaw said. “And there were a lot of things we didn’t really understand that you shouldn’t do anymore, like leaving access to our servers through outside entry points.”

That combination of more technology, new threats, and underinvestment in security is common inside many of the nation’s schools, said Keith Krueger, the CEO of the Consortium for School Networking.

Most districts don’t have a staff member dedicated specifically to cybersecurity, CoSN recently reported. And many district IT leaders have been slow to grasp the severity of the threat they face. Just 27 percent said ransomware attacks similar to what happened in Columbia Falls are a significant problem, according to results from a new CoSN/Education Week Research Center survey.

“K-12 is not a sector with huge technical capacity,” Krueger said. “The threat is real, and there needs to be more awareness.”

‘We Should Have Known Better’

Glastonbury, Conn., schools fall victim to phishing scam

In February, a new central-office employee in Connecticut’s 6,000-student Glastonbury schools received an email that appeared to be from one of her colleagues. The message requested that she send W-2 tax information for all the district’s 1,600 employees.

She obliged.

In August, however, federal prosecutors said the message was actually sent by Daniel Adekunle Ojo, a Nigerian citizen who had been living in North Carolina. In August, Ojo was charged with fraud and identify theft; authorities say he used a fake email address to steal Glastonbury school employees’ information, then file 122 false tax returns seeking a total of $596,897 in refunds. Ojo has pled not guilty to the charges.

Such scams are pervasive throughout K-12, said Douglas A. Levin of EdTech Strategies, who has been tracking cybersecurity incidents in schools for almost two years.

Among other districts where sensitive employee information was successfully phished: Manatee County, Fla., where hackers obtained the names, addresses, wages, and Social Security numbers of more than 7,700 school employees; and Atlanta, where scammers stole more than $56,000 from employees by successfully rerouting their direct-deposit payments.

Fake emails were also recently used to scam districts in Boulder, Colo., and Lake Ridge, Ill., out of hundreds of thousands of dollars in school construction funds.

Given such losses, Levin said, it’s surprising—and alarming—that fewer than half of district information-technology leaders describe phishing attacks as a significant problem.

One contributing factor: With so much recent attention and legislation around student-data privacy, many schools have been focused on identifying what information is collected from students and how it is used, rather than on how to keep safe the full scope of sensitive information on their networks.

That was the case in Glastonbury, Superintendent Alan Bookman said in an interview with Education Week.

But after falling victim to the phishing scam, Bookman said, his district has revamped training to provide outside guidance to administrative staff in departments such as human relations and payroll, where sensitive employee information is kept. Protocols around staff-email use are stricter. And all Glastonbury employees are now required to pick up duplicate tax forms in person.

“We should have known better,” Bookman said of the mistakes Glastonbury made.“We’re living in a different world.”

‘Nothing We Could Really Do’

Pflugerville, Texas, schools compromised by others’ missteps

Victor Valdez is laser-focused on cybersecurity.

As the chief technology officer for Texas’ 24,000-student Pflugerville Independent school district, Valdez said he faces cyber threats every day. One of his responses: “hiring a third-party company to come in and hack us, so we can find out where we’re vulnerable and clean things up.” Another strategy is to constantly monitor Pflugerville’s network, a tactic that last school year led Valdez’s team to identify and staunch a sudden, unexplained surge of traffic from Europe.

Still, such vigilance hasn’t been enough.

This past spring, an unknown number of the district’s employees—including Valdez himself—had their names and Social Security numbers compromised, as a result of a breach at the Texas Association of School Boards.

TASB is a statewide nonprofit group that, among other things, administers an unemployment-insurance program for Texas school employees. Spokeswoman Barbara Williams said TASB officials learned in May that personal information for more than half a million of those employees, in roughly 900 school districts across the state, had been posted publicly on the internet.

The association has spent months trying to notify everyone who may have been affected, offering a year of free credit monitoring and identify-theft resolution services, Williams said. The group has also stepped up its training, monitoring, and security procedures. There have been no reports that any of the compromised information was misused, according to Williams.

But for hundreds of other Texas districts, the breach is just another example of how even the best-laid K-12 cybersecurity plans can’t cover everything.

“It’s tough,” said Valdez. “Short of communicating with our employees, there’s nothing we could really do.”

Struggling to Maintain Public Trust

Tucson, Ariz., loses control of its website

“We don’t mess around when it comes to security!”

That’s the promise that Jupiter, Fla.-based company SchoolDesk, which creates and maintains websites for school districts, made in its $64,500-per-year contract with the 47,000-student Tucson, Ariz., schools.

Despite such assurances, though, hackers breached one of SchoolDesk’s servers earlier this month, temporarily redirecting roughly 800 school district websites around the country to Arabic-language messages in support of the militant Islamist group ISIS, as well as an image of former Iraqi dictator Saddam Hussein.

Tucson was one of the districts affected, leading to a spate of concerned news stories and social-media messages. A spokeswoman for the Tucson district said the site “was restored to normal in a matter of hours.” A statement from SchoolDesk said the company was cooperating with law enforcement to find the hackers responsible and “user data is secure and unaltered.”

Outside experts say the incident highlights a couple of the big cybersecurity challenges facing schools.

Sometimes, hackers mostly want to create mayhem, said Douglas A. Levin of EdTech Strategies. That’s what happened when outsiders recently took control of the official Twitter accounts of Florida’s Fort Lucie school district and Nevada’s Foothill High School, in Henderson.

And ensuring that vendors provide strong information-technology safeguards has proved particularly difficult for K-12 schools, said Missouri State Auditor Nicole Galloway, who has been examining school cybersecurity practices in her state.

Technology contracts should outline who is responsible for preventing and detecting breaches, and what steps will be taken if a problem occurs, Galloway said. But that’s not typically what happens, leaving schools open to considerable risk.

“If a school district is financially responsible for monitoring credit scores or hiring attorneys or forensic specialists, that’s money that doesn’t go into the classroom,” Galloway said. “And if a breach does happen, it can hurt parents’ perception of how their district is handling technology.”

A version of this article appeared in the November 29, 2017 edition of Education Week as Schools Struggle With Hacking, Other Cyber Threats

Let us know what you think!

We’re looking for feedback on our new site to make sure we continue to provide you the best experience.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Future of Work Webinar
Digital Literacy Strategies to Promote Equity
Our new world has only increased our students’ dependence on technology. This makes digital literacy no longer a “nice to have” but a “need to have.” How do we ensure that every student can navigate
Content provided by Learning.com
Mathematics Online Summit Teaching Math in a Pandemic
Attend this online summit to ask questions about how COVID-19 has affected achievement, instruction, assessment, and engagement in math.
School & District Management Webinar Examining the Evidence: Catching Kids Up at a Distance
As districts, schools, and families navigate a new normal following the abrupt end of in-person schooling this spring, students’ learning opportunities vary enormously across the nation. Access to devices and broadband internet and a secure

EdWeek Top School Jobs

Data Analyst
New York, NY, US
New Visions for Public Schools
Project Manager
United States
K12 Inc.
High School Permanent Substitute Teacher
Woolwich Township, NJ, US
Kingsway Regional School District
MS STEM Teacher
Woolwich Township, NJ, US
Kingsway Regional School District

Read Next

School & District Management Student Mental Health and Learning Loss Continue to Worry Principals
Months into the pandemic, elementary principals say they still want training in crucial areas to help students who are struggling.
3 min read
Student sitting alone with empty chairs around her.
Maria Casinos/iStock/Getty
School & District Management Opinion A Road Map for Education Research in a Crisis
Here are five basic principles for a responsible and timely research agenda during the COVID-19 pandemic.
Robin J. Lake
4 min read
Two opposing sides reaching out to work together
J.R. Bee for Education Week
School & District Management 1,000 Students, No Social Distancing, and a Fight to Keep the Virus Out
A principal describes the "nightmare" job of keeping more than 1,000 people safe in the fast-moving pandemic.
4 min read
Dixie Rae Garrison, principal of West Jordan Middle School, in West Jordan, Utah.
Dixie Rae Garrison, principal of West Jordan Middle School in West Jordan, Utah, would have preferred a hybrid schedule and other social distancing measures.
Courtesy of Dixie Rae Garrison
School & District Management A School Leader Who Calls Her Own Shots on Battling the Coronavirus
A charter school founder uses her autonomy to move swiftly on everything from classroom shutdowns to remote schooling.
3 min read
Nigena Livingston, founder and head of School at the URBAN ACT Academy in Indianapolis, Ind.
Nigena Livingston, founder and head of school at the URBAN ACT Academy in Indianapolis, makes swift decisions in responding to the threat of COVID-19 in her school community.
Courtesy of Nigena Livingston