Here’s why K-12 school districts are under attack
It’s been over seven years since hackers broke into Yahoo’s network and stole the personal information of approximately three billion user accounts. Since then we’ve seen dozens of trusted brands lose sensitive data to malicious attacks: Adobe, Equifax, Canva, Facebook, Marriott International, and many more. By most standards, all of these companies are large and profitable, and they should be able to afford the best available cybersecurity expertise. Still, hundreds of millions of people around the world have lost their sensitive data to criminal hackers after doing business with these companies.
It’s clear that criminals love the ‘big score’ they get from breaking into a large company, but they’ve also found value in the student data kept by public schools. Attacks against K-12 school districts have increased in frequency and severity over the past few years. Criminals are putting more effort into breaking into school networks to drop malware and steal student records. In the context of the larger corporate breaches that dominate headlines, hacking a K-12 school makes no sense. For the most part, students have no credit card data, no bank accounts, no security questions/answers, no personal email/password credentials, and very little medical information in their records. Where’s the big score here?
The public schools industry
To understand why schools are such a rich target, it may help to start by looking at the bigger picture. The public schools industry employs nearly 6.7 million people and is the largest industry by employment in the United States. This industry serves kindergarten through 12th grade students in regular education elementary and high schools, charter schools, magnet schools, and nontraditional education. These schools provide a government-funded education that is free of charge to the community.
This free education generates a market size of nearly $806 billion. Schools partner with private companies that offer resources to students or assist in the operations of the school district. McGraw-Hill Education, Adobe Systems, and Cisco Systems are some of the largest partners in the public schools industry. Schools are also turning to SaaS applications and cloud deployments to control costs and leverage the benefits of these resources. Microsoft 365 Education and Google Apps for Education have been widely adopted over the past several years. The transition to remote learning in 2020 proved the value of these online productivity suites, as schools started using Google Classroom and Microsoft Teams to keeps kids ‘in school.’
Despite the size of the industry and its reliance on connectivity and technology, individual school districts rarely invest in the level of cybersecurity appropriate to the risk. This is why public schools are considered ‘soft targets’ by cybercriminals. Schools hold a lot of valuable data that is not well protected.
Public K-12 schools serve over 50 million students in the United States. The data generated by these students will follow them through their time in school and may remain in place for several years after the student has left the district. Each student record will include a Social Security number, date of birth, home address, parent or guardian information, class grades, and possibly financial, medical, and other sensitive information. These records are valuable to identity thieves and other criminals because they are complete profiles of an individual, and the individual in question probably has no credit history. Student identities are a blank slate when it comes to financial scams.
One example of how these records are used comes from the September 2020 Toledo Public Schools data breach. Approximately six months after the student and employee records were leaked, evidence of fraud started to surface. 13abc Action News in Toledo reported this story from one of the victims:
He’s now learned his son’s information is in the hands of people it shouldn’t be. Here are some of the messages he’s received about his elementary schooler:
- The first one was for denial for a credit card.
- Another one happened when the child was denied for a car loan because it said the reason was because of his income ratio.
- One of the last ones was to have fixed electric rates.
- The family got a flier talking about the student’s Toledo Edison account and the gift card he could get by switching suppliers.
“They’ve got our children’s information and they’re trying to use it,”
Student records are reportedly worth $250 to $350 on the dark web because it's so easy to establish a false identity around a young person with no financial history.
Student records and ransomware
Student data is also used as leverage in double-extortion ransomware schemes. Ransomware attacks on K-12 schools have been increasing in frequency and severity, with some ransom demands exceeding $1 million. The FBI and other security agencies recently issued a joint report showing that K-12 schools were the top target for ransomware attacks and had suffered 57% of all successful ransomware attacks in the second half of 2020.
Law enforcement advises ransomware victims not to pay ransom, and many organizations will ignore ransom demands if they have a backup of the data that was encrypted by the attack. To increase the stakes, criminals now steal data before encrypting it for ransom. If the organization refuses to pay the ransom, the criminals threaten to leak the data. This was the case in the Toledo Public Schools breach mentioned above.
Protecting student records and other data
The best way to protect data is to deploy multiple layers of security across the school district. Email, network, and application security all work together to protect the network and data from intruders as well as accidental loss. Security awareness training for end users is also a valuable investment, particularly in the area of phishing and other email attacks.
Barracuda provides a complete set of solutions for the K-12 environment. Visit https://www.barracuda.com/programs/k12 for details.