Editor’s Note: This is part 1 of a three-part series on cybersecurity in K-12 education. Part 2 will focus on the National Initiative for Cybersecurity Education.
When Terry Van Zoeren came out of retirement this year to be interim superintendent at a New Jersey school district, he didn’t anticipate dealing with a cyber attack.
But the 20-year administration veteran was forced into action in March when a savvy foreign hacker held the Swedesboro-Woolwich School District’s computer system for a ransom — making it impossible for kids at four elementary schools to take their online statewide tests as scheduled.
“I hadn’t expected anything like this to happen,” Van Zoeren said in an interview last week with FedScoop. “It made us think really long and hard about the security necessary to make sure something like this is less likely to happen again.”
Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people (in the recent Office of Personnel Management case, 21.5 million workers were impacted). Their personal information is scattered to unknown reaches of the globe and is as secure as a treasured item stored in an unlocked chest.
But experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.
There’s also the wealth of data that schools routinely collect on students and store on their servers, from attendance records to medical issues.
In 2013, about 15,000 students at Sachem School District in Long Island, New York, had personal data, including school ID numbers and the names of those receiving free or reduced lunches, posted to an online forum. Cops later arrested a 17-year-old high school student in the district who pleaded not guilty, according to Newsday.
In Jersey City, New Jersey, a charter school last June was able to obtain names, addresses, phone numbers, dates of birth and possibly Social Security numbers of students attending traditional public schools to mail them registration forms, according to the Jersey Journal.
And teachers’ data, including Social Security numbers, was compromised during an attack at Prince George’s County public schools in Maryland — affecting 10,000 of the district’s nearly 24,000 employees, the Washington Post reported last November.
“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”
While the Federal Trade Commission goes after bad actors that violate customers’ privacy, they are limited to pursuing corporations — not tech mavens behind school breaches. The agency brought cases against Fandango and Credit Karma for deceiving customers about the security of their information on the companies’ mobile apps.
An FTC spokesman said the agency has not issued guidance to schools about how to best safeguard their information.
A Department of Education spokesman echoed the statement, saying the agency does not track school cyber attacks.
In the case of Swedesboro-Woolwich, which serves nearly 2,000 students, district officials alerted the FBI. The Gloucester County Prosecutor’s Office and the New Jersey State Police cyber crimes unit also investigated the ransomware attack.
“The community’s greatest fear was that private information had fallen into the hands of people who shouldn’t have it,” Van Zoeren said.
But he reassured worried parents that none of their children’s personal information was compromised — the hacker’s intent, instead, was to extort the district for 500 bitcoins, which translates to about $128,000. Van Zoeren still does not know the identity of the attacker or group of hackers.
The cyber criminal was able to get into the system through a weak password held by a third-party vendor the district contracts with to provide maintenance work on the network.
“We made the decision to not comply with the [financial] demand and to simply rebuild our system,” Van Zoeren said.
But it wasn’t that simple.
The rebuilding process took about two weeks, which meant teachers, administrators and students were barred from using computers. A cadre of workers from the Educational Information and Resource Center, an education nonprofit group based in New Jersey, was dispatched to help the district reconstruct its system. They completed the work for free.
“This was the largest breach that we had been involved with,” Charles Ivory, executive director at EIRC, told FedScoop. “There were security issues in the system, and we were able to correct those.”
EIRC built the district a more robust firewall, and now teachers, administrators, students and third-party vendors know to use more complex passwords.
The district now contracts with the nonprofit, which offers everything from child assault prevention services to technical assistance, to monitor threatening behavior from would-be hackers.
Experts told FedScoop that schools should be just as agile as banks when it comes to protecting and strengthening security protocols around student and teacher data.
“K-12 communities have been slow to adopt the strict kinds of security standards that a retail or banking customer has had for many years,” said Maggie Hallbach, vice president of government and education for Verizon. “The unique challenge is that increased attention be paid and increased funding set aside by counties, towns and boards of trustees to support programs to secure this information.”
Hallbach added that schools should identify their “critical” data.
“Do you need to secure school lunch menus? Probably not,” she said. “You need to secure your staff payrolls, records that may have Social Security numbers. It’s very difficult to protect something if you don’t know where and what your critical data is.”
Van Zoeren, who officially retired a second time last week, said he has no intention of returning to his post overseeing a district.
But if he does, “I want to go to a district with no computers,” he joked.
Reach the reporter at firstname.lastname@example.org or follow her on Twitter @clestch.