Ransomware attacks on schools threaten student data nationwide
Tucson, Ariz. — Imagine a criminal gaining unrestricted access to your child's most private information — medical records, Social Security numbers and even details about their daily bus ride to school. This alarming scenario is becoming a reality for a growing number of families as sophisticated cybercriminals increasingly target schools across the United States, holding their computer systems and private data hostage.
Data gathered by K12 Security Information Exchange, known as K12 SIX, a nonprofit focused on protecting schools from cybersecurity threats, and analyzed by CBS News, shows that there have been hundreds of ransomware attacks on districts since 2016.
Using publicly available reports, K12 SIX identified at least 325 ransomware attacks on school districts across the United States between April 2016 and the end of November 2022.
From January 2023 through June 2024, at least 83 potential ransomware attacks on school districts were disclosed, according to unreleased K12 SIX data acquired exclusively by CBS News. At least 21 of these attacks took place in the first half of this year.
Publicly disclosed ransomware attacks identified by K12 SIX appear to have grown steadily since 2018, as compared to other types of cyberattacks, which appear to have declined or fluctuated more from year to year.
Tucson district goes dark
In the second-largest school district in Arizona, a pre-dawn ransomware attack in January of 2023 left the Tucson Unified School District crippled.
"It was completely dark and blank because everything was down," said Rabih Hamadeh, the district's executive director of technology services. His team discovered that nearly every printer in the district had suddenly started printing ransom notes. The attackers, identifying themselves as the "Royal" cyber gang, had encrypted and copied critical data, threatening to publish it online unless a large ransom was paid.
Stacy Gosik, a mother of three sons in the district, recounted the terrifying possibility of having her children's digital identities compromised.
"Everything on my children — their doctor's information, bus stop information, medical records, where we live — was in the hands of criminals," Gosik said. "It's terrifying."
Tucson Unified School District did not pay the ransom, but schools were closed for two weeks while Hamadeh's team worked to repair and restore their systems. An investigation conducted by CBS News in partnership with cybersecurity firm GuidePoint Security revealed that at least some private student and employee information from the district had indeed been leaked to the dark web, where it could be sold to the highest bidder.
"We've seen students as young as first grade have their identity compromised and abused," said Doug Levin, national director of K12 SIX. "Young students are especially desirable targets because their credit records are unmonitored and can be exploited for years."
It cost nearly a million dollars to rebuild TUSD's system, an amount partially covered by the ransomware insurance that many schools now carry in case of attacks. "We need more support from both the state and federal levels," Hamadeh emphasized, calling for increased funding, expertise and training to protect schools from future incidents.
"It will happen again, not just to us," said Hamadeh.
Attacked in Allen, Texas
Ransomware attackers also targeted the Allen Independent School District in Texas. In September 2021, information on 550 current and former employees, three students and seven vendors that do business with the district was accessed by cyberattackers.
"Staff and parents of Allen ISD, Howdy!" the hackers reportedly wrote in an email to students and parents in October 2021. "We give you five days to collect money."
The hackers wrote that their ransom would increase to $10 million if the money was not raised. The email reportedly did not specify what the initial ransom was.
CBS News reached out to the district to ask about the attack. The district refused to answer any questions about the incident and told reporters to file a public records request. In response to a public records request by CBS News, Allen ISD then refused to provide documents and instead filed a letter with the Texas Attorney General's Office, citing multiple exceptions.
Documents submitted to the AG's office show that, after suffering the attack, Allen ISD hired lawyers from Lewis Brisbois Brisgaard & Smith through its cybersecurity insurer, Hartford Steam Boiler Inspection and Insurance Company.
"The District expected and anticipated significant litigation to result from this criminal cyber-attack," the district's lawyers wrote to the attorney general. "The data, processes, and procedures that were accessed by the attackers could have enormous effect on the day-to-day operations of the District that would force the District into taking swift legal action."
Documents filed with the attorney general's office also show that the district acquired services from Arete Advisors, CDW Government, Centre Technologies, CMC, Critical Stai1, Cyberone, Global Asset, Logical Control Services, SHI Government Solutions and Transfinder in the wake of the ransomware attack. The records do not specify how much each vendor was paid.
Taking on hackers
The rise in ransomware incidents was the focus of a White House summit in August 2023 that brought together law enforcement, educators and education technology providers to discuss how to protect the nation's schools. The U.S. Department of Education launched the Government Coordinating Council for the Education Facilities Subsector in May of this year, an effort the agency describes as "an unprecedented collaboration between federal, state, local and tribal governments to protect schools from cybersecurity threats."
"Schools and districts are being targeted because they are resource-rich for bad actors, looking for being able to attack whole systems, to try to shut down systems, to try to get information, personally identifying information or just preventing the district from normal functioning on all different levels," said U.S. Deputy Secretary of Education Cindy Marten.
"If a district does find themselves falling victim to this, we want rapid response," said Marten. "[Our department] gives actionable guidance for districts that have been targeted by ransomware attacks."
Other government efforts include facilitating additional training for educators and a $200 million pilot program adopted by the Federal Communications Commission that will fund cybersecurity improvements for schools and libraries.
Kids and cyber safety
Marshini Chetty, an assistant professor at the University of Chicago's Department of Computer Science, developed a game app called Cybernaut to help young children learn to be cyber safe.
"It's important to start these lessons early," said Chetty. "Otherwise, you get this poor security hygiene and it's really hard to undo it."
Illinois Valley Community College Chief Information Security Officer Brian Pichman, who leads a summer computer camp for kids on campus, agrees.
"We teach kids as young as 8 how to protect their digital identities and recognize online scams," said Pichman.
Pichman says it's especially important now that many children are issued school email addresses when they start elementary school.
"Even me, when I was a kid, I got that fancy email from a rich prince." said Pichman. "Luckily, I was too young to know what my Social Security number was!"
- Have a "zero-trust" approach online
- Beware of malicious links, attachments and downloads sent via email or text
- Keep software updated, install security patches and consider installing an anti-virus system