Hackers preying on infrastructure have turned their attention to schools, the very last people who need that kind of stress.
In Albuquerque, New Mexico earlier this school year, a ransomware attack locked teachers out of the district’s student database – attendance records, class rosters, grade books, emergency contacts and students’ medical releases were all affected. Money was demanded (but not paid), and resolving the issue closed every school in the district for two days. Over 75,000 students were affected.
It was just one of several high-profile cyberattacks to affect schools since September, and there are probably more that have gone unreported. Schools are not required to disclose that sort of security breach, so precise numbers aren’t available. But a nonprofit group which helps schools increase their cybersecurity has tracked over 1200 incidents since 2016, including 209 ransomware attacks, 53 “denial of service” attacks where hackers sabotage school networks, and over a hundred successful phishing attacks, where a scam artist tricks a user in a school network into giving them access.
The pandemic has increased these attacks, especially in schools using virtual learning with staff working from home.
“It’s just that feeling of helplessness, of confusion as to why somebody would do something like this because at the end of the day, it’s taking away from our kids. And to me that’s just a disgusting way to try to, to get money,” said Superintendent Channell Segura about the issue. Segura is the superintendent of the district of Truth or Consequences, New Mexico, which also had its system shut down by ransomware just after Christmas. A month later, their network is still down, affecting everything from lunch menus to the keyless entry locks on building doors.
The law has been slow to catch up to cybercrime like this, but in October, President Biden signed the K-12 Cybersecurity Act, which directs the federal cyber security agency to instruct schools in better safety practices. Unfortunately, most schools in the country don’t have much of an IT department, leaving it to whoever teaches technology or manages records to do all of the work.