School Cyber Attacks Cost Money, Threaten Student Privacy

Julian Roberts-Grmela | December 31, 2023

(Chalkboard News) — Earlier this year, the Education Department and the Department of Homeland Security’s joint agency, the Cybersecurity and Infrastructure Security Agency (CISA), released guidance for district leaders to combat cyber threats. 

In an emailed statement, CISA’s executive assistant director for cybersecurity, Eric Goldstein, said schools and districts “remain a target of cyber threats, including ransomware.”

“The U.S. government is raising pressure on ransomware operators, using all the tools available across the federal government, including rapid and near-real-time information sharing on victims or potential victims has enabled us to quickly respond and support, often before impacts were fully realized,” Goldstein said. 

But Goldstein said, “The full scope of the problem can be difficult to measure because incidents are still widely underreported.”

Brett Callow, a threat analyst at the anti-malware company Emsisoft, said he tracked cyber attacks on schools over the last year and said that he has “provisional numbers” based on a list he made of “disclosures using vague terms like ‘IT security incident.’” 

Callow said he is still looking back through the list to see whether any of the incidents were later disclosed as ransomware, but that for now, he’s identified 107 school districts with 1,893 schools between them that may have been targets of cyber attacks. Of those 107 districts, 75 had data stolen, Callow said. 

In 2022, 45 school districts operating 1,981 schools had ransomware incidents, according to Emsisoft.

Doug Levin, the national director for K12 Security Information eXchange (K12 SIX), said that in 2023, cybersecurity attacks have led to school closures and phishing scams that lost schools about $1 million. 

Levin said the attacks also created data breaches “with information that is exceedingly sensitive about students and about employees being released by cyber criminals on the dark web.”

“In 2023, we have seen schools be frequent victims of ransomware attacks,” Levin said.

Levin said that although schools and school districts are falling victim, cybersecurity doesn’t just target the education sector. 

“Many companies that are much better resourced than schools and have a much longer history with these issues than we do still struggle with them, as well,” Levin said. 

Levin said that there is no simple solution. 

“If there were a silver bullet solution, we’d all be screaming it from the rooftops,” Levin said.

Levin said that there should be a federal law ensuring schools are “held to a higher standard of care with respect to cybersecurity.”

“It just needs to be the same sort of priority for school systems as, you know, physical security is for students or even for planning for other emergencies like building fires or extreme weather events,” Levin said.