Report: K-12 cybersecurity incidents, risks growing across the country

K-12 local educational agencies nationwide experienced both more frequent and more significant cybersecurity incidents in 2018, according to a new report from The K-12 Cybersecurity Resource Center. Data suggests the incidents did not discriminate by district type, location or size.

There were 122 publicly reported K-12 cyber incidents in the U.S. in 2018, or about one incident every three days. A map on the center’s website shows the location of every reported cyber incident since 2016, in addition to a description of the attack. Mt. Diablo Unified School District in Contra Costa County was one of two districts nationwide to report more than one incident in 2018.

Data breaches were the most common type of cyber incident or threat reported in 2018, with just over half of those carried out or caused by members of the impacted school community, whether by staff or students. Other prominent forms of cyber incidents explored in the report are phishing attacks, largely by email, and ransomware and malware outbreaks. “Perhaps most concerning in 2018 were a number of successful phishing attacks targeted at school district business officials,” the report states. Phishing is the practice of sending bogus emails that appear to be from a reputable company, but are actually bait designed to trick the recipient into providing personal or sensitive information such as passwords or checking account, credit card and Social Security numbers.

The center’s year-end report includes an interactive breakdown of the top 10 cyber incidents of 2018, as well as a look at lessons for district officials to consider in 2019 and beyond. Among the key takeaways is the fact that cybersecurity breaches can have a major financial impact on schools and districts.

“During 2018, such incidents resulted in the theft of millions of tax payer dollars, stolen identities, tax fraud, altered school records, website and social media defacement, and the loss of access to school technology and IT systems for weeks or longer,” the report states. “Due to such incidents, parent, educator, student, taxpayer, and policymaker trust in education technology is being placed increasingly at risk.”

With more centralized data systems and platforms, larger numbers of districts, students and schools — even across district and state lines — are increasingly vulnerable to cyber attacks, the report concludes. “This is particularly concerning, because issues of K-12 cybersecurity have largely been overlooked by policymakers, regulators and school leaders, despite greater attention to issues of student data privacy.”

For in-depth advice on protecting against cyberattacks, officials and board members can refer to the National School Boards Association publication “Data Security for Schools: A Legal and Policy Guide for Schools Boards.”

In terms of student privacy, the FBI issued a September alert calling for increased public awareness of cyber threat concerns related to K-12 students. The continued reliance on technology and data in schools makes student information more of a target, the agency said. Malicious use of the data could result in social engineering, bullying, tracking, identity theft or other ways to target children.

In addition to strong data security systems, the senior advisor for Cybersecurity, Federal Student Aid Office recommends the following steps for local educational agencies:

  • Regularly updating software and operating systems
  • Conducting security audits and patching vulnerabilities
  • Restricting users’ ability to install software applications
  • Reminding employees to never click unsolicited links in emails
  • Backing up files on cloud networks
  • Training staff and students on data security best practices and phishing awareness

Additional reading on the CSBA blog:

“Sextortion: Another cyber danger for youth”

“Cyber thieves target school districts”