Cyber thieves target school districts

Schools and districts are being advised to safeguard against cyberattacks. The latest threat is from cyber bandits threatening to release student records if schools do not pay a ransom to retrieve their records. In some cases threats of violence have also been used.

According to the U.S. Department of Education, the FBI is investigating the scheme. The hacking targets schools with weak data security using malicious software or through phishing attacks against district staff or employees. Phishing involves using an electronic disguise to acquire sensitive personal information such as passwords through email and other messaging.

This is just the latest case of cyberattacks in recent years. According to Ed Tech Strategies, U.S. K-12 public schools and districts have experienced roughly 234 cybersecurity-related incidents since January 2016.

In California, data breaches have hit K-12 public schools and state universities. The California State University had a data hack at eight campuses in 2015 that exposed the personal information of nearly 80,000 students. In Sacramento, federal prosecutors said Russian hackers stole personal information from students in the San Juan Unified School District and used the information to set up phony businesses. Elsewhere, a phishing scheme last spring sent an email to fiscal staff asking for a list of all employees and their W-2 tax forms containing personal information including social security information. The scam allowed hackers to intercept employee tax refunds. In another scheme, district fiscal employees were asked to wire transfer money, with the request often including the name of a high-level administrator in the organization. Similarly, official-looking emails appearing to be from comptrollers or payroll managers have asked employees for wire transfers.

Most recently, the San Ysidro School District’s computers were infected with malware that deleted emails and forced the district to temporarily shut down parts of its system. A ransom was demanded for the return of the deleted emails. However, the district maintained back-up files that negated the need to pay.

In response, schools and districts are encouraged to develop or update policies and procedures to respond to cyberattacks. In addition to strong data security systems, the senior advisor for Cybersecurity, Federal Student Aid Office recommends the following steps for local educational agencies:

  • regularly updating software and operating systems
  • conducting security audits and patching vulnerabilities
  • restricting users’ ability to install software applications
  • reminding employees to never click unsolicited links in emails
  • backing up files on cloud networks
  • training staff and students on data security best practices and phishing awareness

The U.S. Department of Education recommends that organizations affected by this type of attack contact local law enforcement immediately. The DOE also requests that affected K-12 schools contact it at so that it can monitor the spread of the threat.

For more in-depth advice on protecting against cyberattacks, see also the National School Boards Association publication Data Security for Schools: A Legal and Policy Guide for Schools Boards.

The Education Writers Association has recently released a podcast episode on cyberattacks here.