The number of ransomware attacks, data breaches and other cyber incidents affecting K-12 schools could be 10 to 20 times greater than what’s reported publicly, according to a new report from an education security group.
The K12 Security Information Exchange, or K12 SIX, said in its annual report Thursday that weak disclosure requirements for school districts and vendors results in the number of breaches being vastly undercounted, which in turn undermines efforts by researchers, policymakers and education officials to address the cyber threats that teachers and students face.
Overall, K12 SIX counted 166 incidents across 162 districts nationwide in 2021, figures that include ransomware attacks, business email compromise schemes, denial-of-service campaigns and other attacks targeting both schools and the IT vendors that serve them. But those figures are a significant step down from the 408 incidents the group counted in 2020.
“The lack of more robust K-12 cyber incident public disclosure requirements only serves to obscure the realities of school district and vendor operations from those charged with oversight, and to place school community members at unnecessary risk,” the report reads.
As an example, K12 SIX pointed to Broward County Public Schools in Florida, which fell victim to a ransomware attack in March 2021, but waited until late November to inform about 50,000 students, teachers and other staff that their personal information may have been compromised in the breach. And it wasn’t until last month that the South Florida Sun Sentinel reported that the Broward schools — the nation’s sixth-biggest school district — took five months to make required notifications to the U.S. Department of Health and Human Services and also lobbied Florida lawmakers to pass legislation that would exempt cybersecurity incident reports from public records requirements. (The bill, HB 7507, passed unanimously.)
Cyberattacks against school systems have grown more complex over the past year, said Doug Levin, K12 SIX’s national director. Levin said schools face a range of issues, including insider threats from teachers and students and vulnerabilities affecting IT vendors, to say nothing of criminal actors.
“The headline this year has been the rise and continued evolution of ransomware,” he said.
Some of the ransomware attacks that hit schools over the past year employed new tactics, including one incident in Allen, Texas, in which malicious actors emailed parents with threats to publish their kids’ personal information if school officials didn’t pay up. (The district refused to pay.)
The cost of recovering from ransomware incidents may also be rising, Levin said. Over the past year-and-a-half, the school districts in Baltimore County, Maryland, and Buffalo, New York, have each faced nearly $10 million in recovery and upgrade costs following attacks.
“I would not be surprised to see figures like that coming from other districts,” he said. “From our perspective, it could’ve cost less money and a lot less heartbreak if a good proportion of that money was spent [upgrading IT] on an ongoing basis.”
The K12 SIX report finds a few glimmers of hope in some recently passed federal legislation, including last year’s $1.2 trillion infrastructure spending plan, which included $1 billion in state and local cybersecurity grants. Levin said his sense is “K-12 schools have the potential to benefit,” though that’s subject to how states craft their plans for how they’ll distribute their grants to local governments.
Levin also pointed to last year’s K-12 Cybersecurity Act, which directed the Cybersecurity and Infrastructure Security Agency to review risks faced by the education sector and develop new guidelines for protecting teacher and student data.
“Our hope is that it will lay the groundwork for future action,” Levin said.