Schools Aren't Required to Report Increasing Cyber Attacks: Kids at Risk, Parents in The Dark
SACRAMENTO (CBS13) — Cybercriminals are targeting schools at an alarming rate and putting kids at risk of identity theft - and their parents may never know. CBS13 has uncovered alarming school cyber-attack statistics and a lack of school policies for tracking and reporting these attacks.
- Schools are not required to report cyber-attacks to any governing body.
- In most cases - parents don't even have the right to know that their kid's school has been attacked.
- CBS 13 asked more than 50 local districts about their policies for reporting and tracking cyber breaches, and only one district confirmed that it actually had one.
- Meanwhile, CBS 13 reviewed more than 120 recent school cyber incidents at California at K-12 schools, including more than a dozen ransomware attacks. At least one was never reported publicly or to parents.
From high schoolers fresh off distance learning, to "Mr. Code's Wild Ride" coding classes, most kids realize the repercussions of a cyber attack—but it turns out that their schools may not.
According to a recent IBM survey, roughly half of educators and administrators said they were "not concerned" about cyber attacks
When CBS13 asked local school districts about their policies for tracking and reporting breaches, only one out of 50 school districts confirmed that it actually had a policy.
"It's very difficult to make progress on this issue when we're kept in the dark. Parents can't protect their children and policymakers don't know that there is a need to take action to protect their communities."
Two school districts said they were in the process of developing a cyber-attack reporting policy, and several said they needed additional time to respond, which is allowed under California's Public Records Act. However, the vast majority of school districts did not respond at all to CBS13's request.
Meanwhile, CBS13 has identified more than a hundred publicly reported cybersecurity incidents at California K-12 schools, including nearly a dozen recent ransomware attacks—a type of malicious software that locks up computers and files until a ransom is paid.
We confirmed at least one ransomware attack in a Placer County school district was never reported publicly or to parents.
Cyber security analysts tracked more than 1,600 ransomware attacks on school districts nationwide last year alone.
And there are increasing reports that student information, from hundreds of these breaches, is now available on the dark web.
Kids' information sells for a premium because their clean credit histories make them ideal targets for identity thieves and most won't discover they've been victimized for years.
This Toledo incident was referenced in a letter, from Senator Blackburn to the Department of Education, calling for accountability and data on the number of kids impacted.
"These incidents are happening much more frequently than many people understand," said Doug Levin, the director of the non-profit K-12 Security Information Exchange, which helps protect schools from cyber threats.
His group tracks publicly reported cyberattacks but he says most schools never report them.
"It's very difficult to make progress on this issue when we're kept in the dark," Levin said. "Parents can't protect their children and policymakers don't know that there is a need to take action to protect their communities."
California tops the FBI's internet crime report for total victims and money lost, and Levin says California is among the top three states for school cyber-attacks.
Yet, the California Department of Education tells us, "There is no requirement for schools to report ransomware attacks to either state or federal entities."
"Cybersecurity practices for school districts are largely unregulated right now across the US," Levin said.
The California Department of Education (CDE) told CBS13 that schools may "self-report" to private entities. CDE provided a link to Levin's nonprofit and data breaches in its response to CBS13. However, Levin says he is not aware of any schools that have ever self-reported.
The CDE also told CBS13 that it is not aware of any school districts in California that have paid a ransom.
"There have been public reports of California school districts who have paid," Levin pointed out, "which [means] obviously they're not tracking either."
In fact, Levin notes that there is no consistent standard for who should be notified of school breaches, and it appears that even state regulators are confused.
CDE did point CBS13 to this federal law, which they initially said required that parents and students be notified if a student's information is disclosed. But the feds say that's simply not true—the law does not require schools to notify students of compromised information.
Several districts told CBS13 that they would, in some cases, notify families under the California Data Security Breach Notification Law—which applies to California businesses and agencies.
But other districts seemed unaware of the state law, or said it wouldn't necessarily apply to ransomware attacks without evidence hackers actually "acquired" specific personal information.
"Really what they're saying is we don't have evidence that student data was stolen," Levin said.
But he stressed that schools should assume private information was compromised after any ransomware attack because hackers often have access to school servers for days or weeks before they activate ransomware.
"I mean, at that point, the damage has been done," Levin said.
The California Data Security Breach Notification Law, which does not specifically reference schools, only requires reporting of specific types of information that was knowingly "acquired by an unauthorized person."
Under the law, California businesses and agencies are also supposed to report breaches impacting more than 500 people to the California attorney general. However, a ransomware attack alone may not require reporting under the law. California state law requires reporting to those impacted by a breach if certain unencrypted "personal information" are breached, as described in the statute.
AG records reveal more than 25 reported breaches by schools and districts in the 7 years between 2012 and 2019.
By comparison, there have been nearly 50 breaches reported by schools in the past 15 months. And those are only the reported breaches.
One local district—which had two recent unreported attacks—told CBS13 that it only reports cyber attacks to its insurance company. The district added that it would only notify students and families based on advice from that insurer,
"The insurance companies should not be the ones making that determination," Levin said. "These are public institutions using taxpayer money to provide valuable services to a sensitive population. Our children."
In Texas, schools must report stolen student information to the state education agency. A bill in Illinois would require schools to report any cyber breach to the department of education there. And this federal bill would commission a study on cyber security risks facing schools.
But so far, nothing requires California schools to track or report the increasing cyber-attacks.
The Center of Internet Security, which monitors emerging threats, is projecting a 86% increase this year in cyberattacks on schools.
Experts recommend placing a credit freeze on your child's social security number with all three credit monitoring services, Experian, Equifax and TransUnion. A child credit freeze can help prevent hackers from using their information to open credit cards or take out loans in their name.
The law enabling child credit freezes in California was prompted by previous CBS13 investigations.
UPDATE 10/04/21: This story was updated to include additional data provided by the Attorney General's office.