Just a little over a month into 2019, already about a dozen cybersecurity incidents have struck U.S. school districts. And if the past is any indication, more are likely to come.
A U.S. school district becomes the victim of a cyberattack almost as often as every three days, according to a report released Thursday.
Last year, public K-12 education institutions experienced 122 known cybersecurity incidents, ranging from data breaches to phishing scams and ransomware attacks. But that only represents the tip of the iceberg, says Doug Levin, author of “The State of K-12 Cybersecurity: 2018 Year in Review.”
“It’s definitely an undercount,” Levin said in an interview last month. By his estimate, as many as 10 or 20 times more undisclosed breaches could have occurred last year in the education sector, because many districts elect not to disclose such incidents to the public.
Levin, who is president of EdTech Strategies, a consulting firm, maintains a database of publicly disclosed K-12 cybersecurity incidents dating back to 2016. Since then, he has catalogued more than 415 incidents, which include:
- denial of service attacks, including one at Mt. Zion School District in Illinois that disrupted access to the district’s computer network;
- phishing scams, like what happened at Olympia School District in Washington state, where a fraudulent email tricked an employee into sending the sensitive information of district staff;
- ransomware attacks, which typically infect a computer system with software that either blocks access or releases personally identifiable information unless the victim pays a ransom; and
- unauthorized disclosures or data breaches, often caused by human error in the education sector, as was the case at the Pennsylvania Department of Education.
“I think it’s going to get worse before it gets better,” he said. I’m seeing what I would characterize as pretty significant events that are actually happening in schools today.” These events not only disrupt teaching and learning, Levin added, but can also cost districts up to six-figures to redress.
Of the 122 cybersecurity incidents Levin identified last year, all but seven affected traditional school districts and charter schools. The exceptions include Florida Virtual School and the state education agencies in North Dakota and Pennsylvania. Of the school districts affected, two—Chicago Public Schools and Mt. Diablo Unified School District in California—experienced more than one cyberattack in 2018.
In his analysis, Levin sought to understand whether certain characteristics made a district more likely to be targeted. “It seems to be non-discriminating,” he concluded. Suburban, rural and urban districts, as well as small, mid-sized and large districts, were similarly vulnerable.
The exception, he found, are districts with a higher population of students living in poverty. These were less likely to be affected by cyberattacks. In 2018, 70 percent of these events occurred in low-poverty districts, defined as districts that have fewer than 20 percent of students living in poverty. Just 5 percent of incidents occurred in districts that have more than 30 percent of students in poverty.
“One plausible hypothesis is that wealthier school communities may be relying on more technology than other district types and hence are exposed to greater risks,” Levin writes in the report.
Levin also highlights a “top 10” incidents of the year in the report, based on the number of individuals affected and the costliest cases. Among them are the December breach that exposed the data of 500,000 students and staff at San Diego Unified, as well as an incident last April where a Massachusetts school district paid a $10,000 bitcoin ransom following an attack on its computer system.
Taken together, these incidents have become hard to ignore, Levin said.
“This is a wicked problem,” he said. “There’s no easy solution. It’s not just that we need more money, different policies or more training. The nature of these threats is going to keep changing. And if major companies—Equifax, Apple, Cisco, Facebook—can’t keep a handle on their stuff, what chance do little school districts have?”