Privacy & Security

Should School Districts Pay a Ransomware Demand? It’s Not Always Simple

By Lauraine Langreo — October 05, 2022 5 min read
Illustration of an open laptop with a red envelope attached to a fishing hook.
  • Save to favorites
  • Print

Ransomware and other cyberattacks on K-12 schools have increased, especially as districts lean further into technology use for teaching and learning, and as cybercriminals get more sophisticated.

Since the 2022-23 school year began, a handful of school districts have been hit with cyberattacks. Most recently, the nation’s second-largest school district, Los Angeles Unified, was targeted by a ransomware attack over the Labor Day weekend.

In a ransomware attack, cybercriminals break into a district or school’s network and take data and encrypt it, preventing the district from accessing the data. Attackers will decrypt and return the data if the district or its insurance company pays a ransom. Attackers typically threaten to release student and employee data to the public if they aren’t paid.

Guidance from the FBI and the Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn’t guarantee that the data will be decrypted or that the systems will no longer be compromised. Paying the cyber criminals also encourages hackers to target more victims.

[If a lot of sensitive information has been stolen,] it becomes a much different risk calculation for superintendents and for school boards.

Every district has its own unique risk calculations

Despite the guidance from the two federal agencies, the question of whether or not to pay ransom does not always have a simple answer.

“I would be hesitant to judge any school district harshly for whatever decisions they make—whether to pay or not to pay—after they’ve become a victim,” particularly in cases where districts have been locked out of all their systems and large amounts of data have been stolen, said Doug Levin, the national director of the K12 Security Information Exchange, a nonprofit focused on helping K-12 schools prevent cyberattacks.

If a lot of sensitive information has been stolen, “it becomes a much different risk calculation for superintendents and for school boards,” Levin said.

District officials have to weigh the risks of paying an extortion demand against the potential to restore operations and keep sensitive information from being publicly disclosed, Levin added.

See also

Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus
Privacy & Security Explainer School Cyberattacks, Explained
Alyson Klein, February 11, 2022
12 min read

Don Ringelestein, the chief technology officer for Maine Township High School District 207 in Illinois and a board member for the Consortium for School Networking, agreed that the decision to pay or not to pay a ransom “depends on each district’s situation.”

Ringelestein said his district, so far, has not been the victim of a successful ransomware attack.

The first thing district leaders should find out is what data the hackers are holding for ransom, said Ringelestein. If it’s something that isn’t sensitive or critical, it’s most likely not worth paying the ransom.

If the hackers have infiltrated the student information system, the finance system, or other critical systems, then the next thing district leaders need to figure out is whether they have “immutable backups,” Ringelestein said. An immutable backup means the stored data is fixed, unchangeable, and can’t be deleted. If there are immutable backups, then the district would just need to restore the data and “keep a very close eye” on the system to ensure the hackers aren’t still in the systems.

If the district doesn’t have those backups, then district officials, along with their cybersecurity insurance company and/or law enforcement, might need to negotiate to get the data and the affected systems restored.

“In some cases, you might have to [pay the ransom], but then you better make sure you put controls in place [so] that the same actor doesn’t come back and do it again,” Ringelestein said.

In the Los Angeles schools case, the hackers leaked the data they had on Oct. 1 after Superintendent Alberto Carvalho said he wouldn’t negotiate with or pay ransom to the cybercriminals. After analyzing the leaked data, the district found there was “no evidence of widespread impact as far as truly sensitive, confidential information,” Carvalho said in an Oct. 3 press briefing.

The school district’s technicians were able to stop the attack while it was in progress, which limited the damage to the district’s systems and data, Carvalho said.

Most districts have insufficient cybersecurity resources

Not all school districts have the cybersecurity resources that Los Angeles Unified does, though.

In recent years, a few districts, such as Cedar Rapids Community School District in Iowa and Judson Independent School District in Texas, have had to pay ransom fees in order to get their data and systems back because they didn’t stop the attack in time or because rebuilding their systems would be more expensive. There isn’t any concrete data on how many districts have paid ransom because they usually don’t disclose that information, according to Levin.

“Most districts don’t have somebody who’s in charge of cybersecurity, or they do but it’s another duty as assigned,” Ringelestein said.

“The job market works against us in education. It’s hard for us to get that kind of talent,” he added. “If a chief information security officer can make $250,000 in the private sector, nobody in education is going to pay that.”

See also

Image of a red glowing caution sign over a dark field of data.
Getty

One solution for the staffing issue could be neighboring districts sharing a chief information security officer or hiring a managed service provider to be in charge of a security operations center, Ringelestein said.

“Given our funding situation, given our ability to hire and our staffing situation, I think that’s the way to go,” he said.

Even though cybersecurity is a top priority for state ed-tech leaders, it is one of the top three unmet technology needs, according to a State Educational Technology Directors Association report. Only 8 percent of respondents to a survey said their state provides “ample” funding for cybersecurity risk mitigation efforts; 40 percent said their state allocates “very little” funding.

“The best advice for school districts is to avoid being a victim of ransomware in the first place,” Levin said.

Some ways to stop cyberattacks include:

  • Doing a risk assessment to figure out where your vulnerabilities are;
  • Having a cybersecurity plan that the district practices regularly;
  • Training employees and students on common tactics hackers use;
  • Backing up data regularly and making sure it’s separate from the main network;
  • and putting in place multifactor authentication systems.

Related Tags:

A version of this article appeared in the October 19, 2022 edition of Education Week as Should School Districts Pay a Ransomware Demand? It’s Not Always Simple

Events

School Climate & Safety K-12 Essentials Forum Strengthen Students’ Connections to School
Join this free event to learn how schools are creating the space for students to form strong bonds with each other and trusted adults.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
IT Infrastructure & Management Webinar
Future-Proofing Your School's Tech Ecosystem: Strategies for Asset Tracking, Sustainability, and Budget Optimization
Gain actionable insights into effective asset management, budget optimization, and sustainable IT practices.
Content provided by Follett Learning
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Budget & Finance Webinar
Innovative Funding Models: A Deep Dive into Public-Private Partnerships
Discover how innovative funding models drive educational projects forward. Join us for insights into effective PPP implementation.
Content provided by Follett Learning

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty