Evidence assembled to maintain the K-12 Cyber Incident Map reveals that public schools have not been immune to the same types of data breaches and cybersecurity incidents routinely plaguing even the most technologically advanced and well-resourced corporations and government agencies.
To shed light on this emerging issue, the K-12 Cybersecurity Resource Center recently published a first-of-its-kind report, “The State of K-12 Cybersecurity: 2018 Year in Review.” Analyses conducted for the report reveal that a total of 122 publicly-disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states were experienced during 2018.
While that number is surely an under count of cyber incidents affecting schools, what can we learn from them? What are the nature of these incidents? How significant are they? What is their real world impact?
Local TV news reports of the ‘Top 10’ Incidents of 2018 — presented in chronological order below — offer insights into these and related questions:
FEBRUARY 22, 2018: IN PENNSYLVANIA, DATA BREACH PUTS EVERY TEACHER IN THE STATE AT RISK
As a result of human error, the Pennsylvania Department of Education’s Teacher Information Management System (TIMS), which holds the personal information of 330,000 professional school staff across the state, was potentially compromised. Affected individuals were critical of how and when they were notified of the incident.
MARCH 1, 2018: TARGETED PHISHING ATTACK LEADS TO IDENTITY THEFT, TAX FRAUD
Texas district officials said an employee responded to a sophisticated phishing email from a scammer pretending to be the superintendent. The criminal actors requested — and received — copies of W-2 tax forms for all district employees. The IRS has warned K-12 districts nationwide about similar email phishing attacks, resulting in widespread school employee identity theft and tax fraud.
MARCH 12, 2018: DATA BREACH AT FLORIDA VIRTUAL SCHOOL LEADS TO SALE OF STUDENT DATA ON DARK WEB
After a researcher spotted school data up for sale on the dark web, an investigation revealed that Florida Virtual School (FLVS) had unwittingly published unencrypted confidential student and teacher data on the internet for a period of nearly two years. The breach affected at least 368,000 current and former teachers, students, and their families.
APRIL 14, 2018: SCHOOL DISTRICT PAYS $10,000 BITCOIN RANSOM TO RESTORE ACCESS TO CRITICAL SYSTEMS
Affected by ransomware and unable to restore its own technology systems after several weeks had passed, a Massachusetts school district took the advice of local law enforcement and paid extortionists in an effort to regain access to email services, school lunch payment services, and the district’s own website.
MAY 11, 2018: POLICE RAID STUDENT’S HOME IN GRADE CHANGING INCIDENT
A 16 year-old California student phished his teachers to gain access to the grading system at his high school, a hack he described as ‘beginner level.’ The result: a police raid and potential criminal charges. Incidents of student hacking into school IT systems are not uncommon, although responses by school authorities vary considerably.
SEPTEMBER 13, 2018: THE FBI WARNS OF THE SECURITY, PRIVACY RISKS OF EDTECH ADOPTION
In an unprecedented statement, the FBI issued a warning in 2018 to school leaders and parents that the rapid growth in implementation of education technologies in U.S. schools and districts — coupled with the widespread collection of student data — could have privacy and safety implications if it is compromised or exploited.
OCTOBER 4, 2018: U.S. SENATOR CALLS FOR FEDERAL AID AFTER SCHOOL NETWORKS TARGETED
Repeated distributed denial-of-service attacks (DDoS) directed at the Central New York Regional Information Center have disrupted internet connectivity, causing huge problems — and disruptions to teaching and learning — for dozens of school districts across Central New York.
NOVEMBER 1, 2018: DISGRUNTLED FORMER EMPLOYEE STEALS SENSITIVE DISTRICT DATABASE
A former Chicago Public Schools (CPS) employee left her job with more than just her final paycheck: she allegedly took the personal information of about 70,000 people contained in a CPS database. This incident was only 1 of 5 publicly-disclosed data breaches experienced by CPS since 2016 (and 1 of 3 in 2018 alone).
NOVEMBER 20, 2018: TEXAS DISTRICT SCAMMED OUT OF $2 MILLION SCHOOL CONSTRUCTION PAYMENT
Only after the fact did a Texas district learn that payments to a school construction vendor were electronically transferred to a fraudulent account. While exceptional for the magnitude of the theft, other districts in Idaho, Louisiana, New Jersey, and Texas also lost hundreds of thousands of dollars during 2018 in similar scams.
DECEMBER 21, 2018: ON CUSP OF WINTER BREAK, DISTRICT DISCLOSES MASSIVE DATA BREACH
San Diego Unified schools discovered an unauthorized user was gathering log-in information from staff via an email phishing campaign to access sensitive district services. The resulting data breach compromised student and staff data on more than 500,000 individuals (who may have interacted with the district anytime since the 2008–9 school year).
As we look to 2019 and beyond, we can expect schools to continue their reliance on technology and in so doing increase their cyber risk profile. Ultimately, the goal of K-12 stakeholders must be to reduce and better manage the cybersecurity risks facing increasingly technologically-dependent schools, but make no mistake: keeping K-12 schools ‘cyber secure’ is a wicked problem — one that is assured to get worse until we take meaningful steps to address it. It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign; all are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.
Enhancing the capacity of the K-12 community to share timely information, build a knowledge base, and identify and promulgate promising policies and practices is why the K-12 Cybersecurity Resource Center was launched. This report, “The State of K-12 Cybersecurity: 2018 Year in Review,” is only a small, but necessary step in a much longer journey toward building the will and capacity to act.
To learn more, the report, “The State of K-2 Cybersecurity: 2018 Year in Review,” can be accessed in full at: https://k12cybersecure.com/year-in-review/