Publicly reported ransomware attacks against K-12 schools and districts increased last year, even as documented cyberattacks in the K-12 system overall fell by more than half, according to a new report released March 10.
Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.
In fact, ransomware attacks—in which hackers essentially take a district’s data and refuse to give it back until they have received payments that can run in the hundreds of thousands of dollars—now make up the largest category of attacks for the first time since 2016, the year K12 Six began tracking cybersecurity incidents in schools.
In previous years, data breach attacks—in which someone who is not authorized to see or change certain types of data breaks into a district or school’s computer system and copies, steals, transmits, changes, or just views the information—were most common.
What’s more, ransomware attacks are increasingly coming from sophisticated cybercriminals who often work overseas in countries that are tough for U.S. law enforcement to reach, said Doug Levin, the national director of K12 SIX and one of the top experts in the country about cybersecurity for K-12 schools.
Often, these attackers intentionally target K-12 districts. They have been known to threaten to publicly release student data if their demands aren’t met and some have followed through on those threats. Others have threatened parents directly, hoping they’ll put pressure on their child’s school district to pay up.
Ransomware attacks can be very costly, in both learning time and money. Districts often close down their buildings to restore their systems. A Missouri district cited in the report, for example, closed for two days last year following an attack.
Even if districts—or their insurance companies—don’t pay a ransom, the costs of getting computer systems back in order can be “staggering,” the report said. For instance, Maryland’s Baltimore County school system spent almost $9.7 million responding to a late 2020 ransomware attack, the report notes.
Meanwhile, the seemingly dramatic decrease in the number of cyberattacks overall from 2020 to 2021 might seem like great news. But the outlook is much cloudier when you consider the broader context around K-12 cybersecurity, the report says.
To begin with, the number of cyberattacks may have been inflated during 2020, due to widespread virtual schooling across the country that year. Districts gave out millions of devices for students to use at home, on unfamiliar networks. Going back to in-person learning might have made it easier for districts to guard against attacks, the report says.
It’s also far from clear that the number of attacks has actually fallen as much as the data seem to indicate. That’s because K-12 Six is only able to count attacks that have been publicly reported. And requirements for schools to publicly report if they have been victims of cyberattacks are weak, at best, the report notes.
In fact, some districts have worked hard to avoid publicly disclosing attacks, the report says. Case-in-point: Florida’s Broward County district waited five months to report key information to people whose data was impacted, three months longer than allowed under federal rules, according to stories in the Sun Sentinel newspaper cited in the K-12 Six report.
The district also declared it had conducted its own cybersecurity investigation, but then later said the results of that inquiry weren’t put into writing, according to the K-12 Six report. And the report noted that district officials lobbied the state legislature to craft a law that would make it tougher for the public to find out about school cyberattacks.
But hiding the problem isn’t going to help, the report cautions. Weak public disclosure laws, “only [serve] to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report says.
To be sure, some districts may be much more cybersecure than they were just a few years ago since there is now a higher level of awareness of the potential for cyberattacks. Plus, insurance companies are beginning to require districts to have their own cybersecurity systems in place before they will take them on as clients. That means districts are beginning to put in place “commonsense” measures, such as multi-factor password authentication for employees and students, the report says.
“School districts may have done a modestly better job of defending their communities from cybersecurity threats” last year, the report concludes.
As in past years, larger, wealthier districts appear more likely to be the victims of cyberattacks than smaller, poorer districts, the report says. But it’s difficult to say whether that’s because hackers are more likely to target big districts, or whether larger districts are just more likely to publicly disclose attacks.
The federal government is beginning to direct its attention to K-12 cyberattacks. Congress recently passed legislation requiring a study of cyberattacks in schools, and another measure providing $1 billion to help states and local government organizations—including school districts—combat cyberattacks.
But policymakers will need to make sure all that research and money leads to, “meaningful improvements in K-12 cybersecurity risk management practices,” the report says.
