Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. “In this case, everybody has a key,” said cybersecurity expert Ian Coldwater, whose son attends a Minneapolis high school.
Often strapped for cash, districts are grossly ill-equipped not just to defend themselves but to respond diligently and transparently when attacked, especially as they struggle to help kids catch up from the pandemic and grapple with shrinking budgets.
Months after the Minneapolis attack, administrators have not delivered on their promise to inform individual victims. Unlike for hospitals, no federal law exists to require this notification from schools.
The Associated Press reached families of six students whose sexual assault case files were exposed. The message from a reporter was the first time anyone had alerted them.
“Truth is, they didn’t notify us about anything,” said a mother whose son’s case file has 80 documents.
Even when schools catch a ransomware attack in progress, the data are typically already gone. That was what Los Angeles Unified School District did last Labor Day weekend, only to see the private paperwork of more than 1,900 former students — including psychological evaluations and medical records — leaked online. Not until February did district officials disclose the breach’s full dimensions, noting the complexity of notifying victims with exposed files up to three decades old.
The lasting legacy of school ransomware attacks, it turns out, is not in school closures, recovery costs or even soaring cyberinsurance premiums. It is the trauma for staff, students and parents from the online exposure of private records — which the AP found on the open internet and dark web.
“A massive amount of information is being posted online, and nobody is looking to see just how bad it all is. Or, if somebody is looking, they’re not making the results public,” said analyst Brett Callow of the cybersecurity firm Emsisoft.
Other big districts recently stung by data theft include San Diego, Des Moines and Tucson, Arizona. While the severity of those hacks remains unclear, all have been criticized either for being slow to admit to being hit by ransomware, dragging their feet on notifying victims — or both.
ON CYBER SECURITY, SCHOOLS HAVE LAGGED
While other ransomware targets have fortified and segmented networks, encrypting data and mandating multi-factor authentication, school systems have been slower to react.
Ransomware likely has affected well over 5 million U.S. students by now, with district attacks on track to rise this year, said analyst Allan Liska of the cybersecurity firm Recorded Future. Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security, a federally funded nonprofit.
“Everyone wants schools to be more secure, but very few want to see their taxes raised to do it,” Liska said.
Parents have instead pushed to use limited funds on things like bilingual teachers and new football helmets, said Albuquerque schools superintendent Scott Elder, whose district suffered a January 2022 ransomware attack.
Just three years ago, criminals did not routinely grab data in ransomware attacks, said TJ Sayers, cyberthreat intelligence manager at the Center for Internet Security. Now, it’s common, he said, with much of it sold on the dark web.
The criminals in the Minneapolis theft were especially aggressive. They shared links to the stolen data on Facebook, Twitter, Telegram and the dark web, which standard browsers can’t access. A handwritten note naming three students involved in one of the sexual abuse complaints was featured for a time on YouTube competitor Vimeo, which promptly took down the video.
The cybercrime syndicate behind the Los Angeles United attack was less brazen. But the 500 gigabytes it dumped on its dark web “leak site” remained freely available for download in June. They include financial records and personnel files with scanned Social Security cards and passports.
The public disclosure of psychological records or sexual assault case files, complete with students’ names, can fray psyches and thwart careers, psychologists say. One file stolen from Los Angeles United described how a middle-schooler had attempted suicide and been in and out of the psychiatric hospital a dozen times in a year.
The mother of a 16-year-old with autism recently got a letter from the San Diego Unified School District saying her daughter’s medical records may have been leaked online in an Oct. 25 breach.
“What,” Barbara Voit asked, “if she doesn’t want the world to know that she has autism?″
