Cyberattacks on schools put students in a dangerous position as many struggle to understand the specific risks after an attack.
Education has become the fifth most targeted industry for data breaches, according to a recent report from Nord Security, with U.S. schools experiencing a sharp increase in hacks in recent years.
American children typically lack the financial data often sought in a cyber strike, but experts warn about the potential for long-term identity theft and emotional distress these events can leave behind, in addition to interfering with directly with classes.
“No matter how you conceive of the issue, these incidents are getting more significant, more severe,” said Doug Levin, national director for K-12 Security Information eXchange (K12 SIX). “You could measure that in terms of the amount of money responding to these incidents costs, [or] it could be in the amount of data or sensitivity of the data that is being stolen and leaked.”
The Government Accountability Office (GAO) said the “scale and number of attacks” particularly soared during the COVID-19 pandemic, when most schools had to go to remote learning. The most common types of cyber strikes against educational institutions include ransomware, phishing, distributed denial of service attacks and video conferencing disruptions.
K12 SIX found 1,619 cyberattacks on schools from 2016-22. The two biggest from last year targeted the public school districts in New York City and Los Angeles.
“Unfortunately, as expected, data was recently released by a criminal organization,” Alberto M. Carvalho, superintendent of Los Angeles Unified School District, said at the time. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
Some of the consequences for schools during a data breach are obvious, including hackers getting access to bank and other financial information of employees.
But students and parents face their own unique challenges in the aftermath, including sometimes missing school days as criminals hold systems hostage.
“Ransomware is the type of incident that has led to school closures,” Levin said, adding that such incidents have resulted in “school districts out millions of dollars, sometimes paying extortion demands of ransomware actors, other times spending that money just in remediating what it allowed to be compromised in the first place.”
The GAO found school districts can lose anywhere from $50,000 to $1 million after a breach.
The attacks have led to “days that schools have had to shut down and not be able to provide services or had other disruptions to the day-to-day work of schools and teachers and kids,” Levin said.
And while many students have little financial information in the school system, their profiles can be surprisingly attractive to criminals.
“We basically have an environment in which we have hundreds of thousands of minors who have clean credit reports, so identity theft is a very real concern,” said Linnette Attai, president of PlayWell LLC, a data privacy consulting firm.
Identity theft for students is a particularly hard issue to tackle, especially for the very young. While adults may be able to notice right away if someone is trying to take over their bank account, students might not find out for years to come.
“We actually strongly encourage all parents, not just parents whose kids have been victimized by an incident in school, that all parents freeze their credit records of their children,” Levin said.
And even if there is no specific financial damage, experts say cyberattacks on schools can leave behind an environment of fear.
“What this causes for students and parents is — and I don’t think this can be understated — is tremendous mental and emotional anguish. Imagine that your very life was out there for strangers to see you … what you ate for lunch, how you did in class, whether you acted up that day, how many times you go to the school nurse and for what and how many sit-ups you did in gym class,” Attai said.
“Whether or not you have special tutoring or accommodations, whether or not you’ve got an [Individualized Educational Plan] or have certain vulnerabilities, special needs. All of that was just out in the open for people with bad intentions to see. It’s incredibly distressing,” she added.