Along with most of America, the residents of Johnston, Iowa, awoke on Oct. 2, 2017, to media reports of a mass shooting at a Las Vegas music festival. That disturbing news set the tone for what proved to be an unbelievably frightening day in Johnston, a suburb of Des Moines. Starting at around 8 p.m., some families with children in the school district began receiving anonymous text messages threatening violence to the students and to their schools.
The graphic, malicious communications were “very personalized,” identifying individual students by name, address, and phone number, says Laura Sprague, communications director for the Johnston Community School District. They contained words that would strike fear “deep down to the core” of any parent, she recalls.
By midnight, the text messages stopped, but not the threats. Notifications appeared on Twitter stating that students’ personal information had been leaked to an online dump site. One post said, “With the student directory from JCSD we released, any child predator can now easily acquire new targets and even plan based on grade level,” the Des Moines Register reported.
Local, state, and federal law enforcement confirmed that Johnston had been the latest school victim of an electronic data breach. The district closed its schools for a full day until investigators ruled out any credible threat.
Vulnerable Targets Like financial institutions, retailers, and Fortune 500 companies around the world, school districts are increasingly finding themselves and the personal information they hold about students, faculty, and staff targets of costly cyberincidents, including phishing schemes, malware intrusions, and denial of service (DoS) and ransomware attacks.
The K-12 school community is “a very vulnerable target” because of the personally identifiable information they have on students and staff, such as Social Security numbers, dates of birth, and home addresses, says Kathy Wetzel, chief information officer for the Texas Association of School Boards (TASB).
Some bad actors “just want to wreak havoc,” she adds, “but most are trying to gather data that they can sell on the black market.” Buyers use that information, especially with a Social Security number and an address, to open bank accounts, apply for credit, and conduct other forms of identity theft.
In September, a seven-page extortion letter demanding $150,000 in the digital currency bitcoin was sent to the superintendent and board members of Montana’s Columbia Falls School District. Hackers had stolen personal information from a district server, including special education and behavioral-health reports. They also sent parents graphic messages threatening their children with violence.
School administrators in neighboring communities in the state’s Flathead Valley also received anonymous threats via text message and email, prompting schools countywide to shut down for three days.
An overseas hacker group known as TheDarkOverlord Solutions claimed responsibility. The same group was linked to the cyberattack in Johnston.
An October advisory from the U.S. Department of Education warned teachers, students, and parents of the new cybercrime threat and noted that hackers likely target “districts with weak data security, or well-known vulnerabilities” in their networks and servers that enable them “to gain access to sensitive data.”
School computing systems also are proving to be a lucrative target for criminal hackers who use them to hide activity against a bank or other entity, says Ryan Cloutier, principal security architect with Technology and Information Educational Services (TIES), a Minnesota-based educational technology solution collaborative owned by 48 school districts. Hackers will “connect from one school to another to another, making it even harder for law enforcement to trace their actions,” says Cloutier, who conducts security audits for school districts.
No Immunity for Schools At least 320 K-12 cybersecurity-related incidents, both intentional and unintentional, have been reported in the media since January 2016, says education technology consultant Douglas Levin. His EdTechStrategies website (www.edtechstrategies.com) is well known for its K-12 cyberincident map and database. But Levin is quick to note that the database only includes publicly reported school-based cyberincidents and that many more likely go unreported.
“There’s no reason to believe that schools would be immune or exempt from the larger trend of more data breaches,” Levin says. “In some respects, schools might be in a more difficult position” because of their growing reliance on online technology; tendency to use a wide variety of devices, software, and online sites; substantial number of users; and budget constraints when it comes to hiring staff skilled in technology security.
Rod Houpe, chief information officer for the Cleveland Metropolitan School District agrees: “I think most school districts are really struggling with how to keep student and staff data secure within their four walls, or when they’re interacting with third-party providers, or using cloud providers.”
That point was highlighted in a 2017 survey conducted by the Consortium for School Networking (CoSN) and the Education Week Research Center. Among 440 K-12 IT leaders surveyed, only 15 percent said they have implemented a cybersecurity plan; just 19 percent said they have cybersecurity practices audited by an outside group; and 28 percent said they are adding security safeguards to vendor negotiations.
It was through an outside security audit of Johnston’s computer servers and security protocols and procedures following the October cyberattack that the district discovered that its data had been hacked not from the school district’s server, but from a third-party vendor that it worked with, Sprague says.
Repairing Breaches Some cases of data exposure are the result of actions taken closer to home. In 2014, personnel files and Social Security numbers of more than 10,000 current and former employees and students in Missouri’s Park Hill School District were potentially leaked on the internet when a former employee downloaded files onto a hard drive without authorization. When the employee connected the drive to a home network, the files were posted onto the internet. The district learned of the breach after a local resident spotted a document online during a Google search.
TASB experienced its own security breach in May 2017 when the names and Social Security numbers of potentially 450,000 Texas school district employees were exposed on the internet via a website application. The application was used to report wages to the Texas Workforce Commission for an unemployment compensation group program TASB administered for participating district employers.
“A school employee called her district when she saw a piece of information about herself on the web,” Wetzel says. “The district called us, and once we were able to verify the situation, within a few hours we turned off the application completely, but the exposure had already happened.”
TASB’s notification to those affected was slowed by a legal requirement to make that notification by mail, she adds. “While we had a Social Security number of the district employees, we did not have their home addresses” and had to reach out to the individual districts for that information.
TASB followed the advice of its cyberinsurance carrier and a privacy attorney as it attempted to remediate the breach, including strengthening and enhancing its security practices, conducting an external review of its security settings, and providing a year of free credit monitoring and identify theft resolution service to those affected. There was no evidence that any of the employee information was used in any way, Wetzel says.
Insurance Helps Cyberinsurance policies are a fast-growing offering of many insurance companies that can help districts offset such costs as conducting a forensics investigation to identify how and what exposure took place; repairing hardware damage; reducing the chance of a repeat incident; establishing a call center so that impacted employees can get information and assistance; and paying for credit monitoring.
Some policies will help a district defend itself if it becomes the target of a lawsuit resulting from a breach, Levin says. But he cautions that coverage “is not yet particularly well standardized,” so understanding the fine print is vital.
The Cleveland Metropolitan School District’s investment in cybersecurity insurance also proved useful after the district’s IT security team identified “suspicious activity” in its data in January 2017. An investigation revealed that an online phishing scam had targeted employees’ direct deposit payments.
Less than 1 percent of the district’s 7,500 employees responded to the scam by clicking on a fraudulent link and entering their district credentials, Houpe says. As a result, a limited number of payments were directed to an unknown third party.
After discovering the malicious activity, the district moved to “restore the affected employees’ compromised credentials and ability to work securely in the district’s network,” he says.
With the assistance of a forensics expert provided by the insurance carrier, the district conducted a thorough review of its data. It also put in place checks and balances to enhance security of its computer system and protect against future incidents.
Because Cleveland previously had developed a plan in case of a data security event, it knew to contact the various law enforcement authorities, involve its legal counsel, and engage the district’s strategic communications team. As with any crisis management situation, the goal was to provide accurate, verified information and get ahead of the story as it rolled out in the media, Houpe says.
Minimum Amount of Data Often, a school district’s internet service provider can offer a bundle of network-level protections — everything from firewalls to sophisticated monitoring capabilities, Levin says. He recommends that districts talk to their existing vendors, ask them about their security practices, and “get their recommendations about what else schools can be doing to secure themselves.”
Although corporations have far more financial resources to use against phishing and other cyberattacks, “it’s the same threat that we face here in education,” says Eric Hoth, data security chief for North Carolina’s Wake County Public School System. “It’s the same people coming after you.”
With that in mind, one of Wake County’s cybersafety precautions has been to rid its data system of as many Social Security numbers as possible. “A few years ago, there were Social Security numbers all over the place,” Hoth says. Today, “the only reason it might be in our system is if a student is receiving some federal services and we’re required to report it. We always ask, ‘What’s the minimum amount of data we need to move forward?’”
Determining the minimum amount of information needed to share with third-party providers became an important lesson learned for Johnston Community Schools after its data was stolen. A security audit revealed that although the district’s servers were secure, access to the students’ names, addresses, telephone numbers, school ID numbers, grade levels, and in some cases, the names of students’ child care centers, had come via a technology vendor that worked with the district.
“Knowing it wasn’t on our server was a confidence boost, but obviously we were still quite affected,” says Sprague. Today, the district is conscious of the fact that if a vendor is “receiving more data than they need, we can trim down that script of information to minimize access.”
Along with limiting the amount of data collected and shared, Levin recommends that districts examine limiting the amount of time the data is retained and encrypting the data so that, if it is obtained, “it’s that much more difficult to use.”
Even with the best security plans in place, however, it’s important to remember that there are “very few organizations, of any size, of any type, that can guarantee absolute security,” he says. That’s why it’s important to develop a response plan should your data be leaked or information exposed. Knowing in advance what data you have, where it is located, and how you will go about remediating a breach will go a long way toward responding and save valuable time, Levin says.