Privacy & Security

Are Schools Now a Step Ahead of Cybercriminals? Not Quite, New Report Suggests

By Alyson Klein — March 10, 2022 4 min read
Image of a red glowing caution sign over a dark field of data.
  • Save to favorites
  • Print

Publicly reported ransomware attacks against K-12 schools and districts increased last year, even as documented cyberattacks in the K-12 system overall fell by more than half, according to a new report released March 10.

Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.

In fact, ransomware attacks—in which hackers essentially take a district’s data and refuse to give it back until they have received payments that can run in the hundreds of thousands of dollars—now make up the largest category of attacks for the first time since 2016, the year K12 Six began tracking cybersecurity incidents in schools.

In previous years, data breach attacks—in which someone who is not authorized to see or change certain types of data breaks into a district or school’s computer system and copies, steals, transmits, changes, or just views the information—were most common.

What’s more, ransomware attacks are increasingly coming from sophisticated cybercriminals who often work overseas in countries that are tough for U.S. law enforcement to reach, said Doug Levin, the national director of K12 SIX and one of the top experts in the country about cybersecurity for K-12 schools.

Often, these attackers intentionally target K-12 districts. They have been known to threaten to publicly release student data if their demands aren’t met and some have followed through on those threats. Others have threatened parents directly, hoping they’ll put pressure on their child’s school district to pay up.

Ransomware attacks can be very costly, in both learning time and money. Districts often close down their buildings to restore their systems. A Missouri district cited in the report, for example, closed for two days last year following an attack.

Even if districts—or their insurance companies—don’t pay a ransom, the costs of getting computer systems back in order can be “staggering,” the report said. For instance, Maryland’s Baltimore County school system spent almost $9.7 million responding to a late 2020 ransomware attack, the report notes.

Meanwhile, the seemingly dramatic decrease in the number of cyberattacks overall from 2020 to 2021 might seem like great news. But the outlook is much cloudier when you consider the broader context around K-12 cybersecurity, the report says.

To begin with, the number of cyberattacks may have been inflated during 2020, due to widespread virtual schooling across the country that year. Districts gave out millions of devices for students to use at home, on unfamiliar networks. Going back to in-person learning might have made it easier for districts to guard against attacks, the report says.

It’s also far from clear that the number of attacks has actually fallen as much as the data seem to indicate. That’s because K-12 Six is only able to count attacks that have been publicly reported. And requirements for schools to publicly report if they have been victims of cyberattacks are weak, at best, the report notes.

In fact, some districts have worked hard to avoid publicly disclosing attacks, the report says. Case-in-point: Florida’s Broward County district waited five months to report key information to people whose data was impacted, three months longer than allowed under federal rules, according to stories in the Sun Sentinel newspaper cited in the K-12 Six report.

The district also declared it had conducted its own cybersecurity investigation, but then later said the results of that inquiry weren’t put into writing, according to the K-12 Six report. And the report noted that district officials lobbied the state legislature to craft a law that would make it tougher for the public to find out about school cyberattacks.

But hiding the problem isn’t going to help, the report cautions. Weak public disclosure laws, “only [serve] to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report says.

To be sure, some districts may be much more cybersecure than they were just a few years ago since there is now a higher level of awareness of the potential for cyberattacks. Plus, insurance companies are beginning to require districts to have their own cybersecurity systems in place before they will take them on as clients. That means districts are beginning to put in place “commonsense” measures, such as multi-factor password authentication for employees and students, the report says.

“School districts may have done a modestly better job of defending their communities from cybersecurity threats” last year, the report concludes.

As in past years, larger, wealthier districts appear more likely to be the victims of cyberattacks than smaller, poorer districts, the report says. But it’s difficult to say whether that’s because hackers are more likely to target big districts, or whether larger districts are just more likely to publicly disclose attacks.

The federal government is beginning to direct its attention to K-12 cyberattacks. Congress recently passed legislation requiring a study of cyberattacks in schools, and another measure providing $1 billion to help states and local government organizations—including school districts—combat cyberattacks.

But policymakers will need to make sure all that research and money leads to, “meaningful improvements in K-12 cybersecurity risk management practices,” the report says.

Related Tags:

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
IT Infrastructure Webinar
A New Era In Connected Learning: Security, Accessibility and Affordability for a Future-Ready Classroom
Learn about Windows 11 SE and Surface Laptop SE. Enable students to unlock learning and develop new skills.
Content provided by Microsoft Surface
Classroom Technology K-12 Essentials Forum Making Technology Work Better in Schools
Join experts for a look at the steps schools are taking (or should take) to improve the use of technology in schools.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Budget & Finance Webinar
The ABCs of ESSER: How to Make the Most of Relief Funds Before They Expire
Join a diverse group of K-12 experts to learn how to leverage federal funds before they expire and improve student learning environments.
Content provided by Johnson Controls

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download Be Ready When Parents Ask These 7 Questions About Data Privacy
These questions offer a roadmap for issues that K-12 leaders should be prepared to discuss.
1 min read
Data security and privacy concept. Visualization of personal or business information safety.
iStock/Getty Images Plus
Privacy & Security Cyber Hackers Attack Schools More Often Than You Think: 8 Ways to Stop Them
Experts say there’s no magic formula for districts to completely protect themselves from these incidents, but there are ways to reduce risk.
1 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security What Schools Can Learn From the Biggest Cyberattack Ever on a Single District
Hackers infiltrated a New York City school district vendor, jeopardizing personal information for 820,000 current and former students.
2 min read
Gloved hand reaching into a laptop screen hacking someone's account.
iStock/Getty Images Plus
Privacy & Security Explainer School Cyberattacks, Explained
Hackers are terrorizing schools with increasingly complex attacks, causing data breaches and more. Here’s what educators need to know.
12 min read
Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus