Hackers are using stolen data to make threats against children, and the U.S. Department of Education is warning school districts nationwide to beef up their cybersecurity in response.
The threats — some of which have been sent directly to parents — are personal and specific, and are intended to extort money from school districts.
A cyber threat alert issued by Tiina Rodrigue, senior adviser for cybersecurity in the Department of Education’s Federal Student Aid office, said the ransom demands relied “on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming or bullying the children unless payment is received…
“Hackers are likely targeting districts with weak data security or well-known vulnerabilities that enable the attackers to gain access to sensitive data.”
In Columbia Falls, Mont., a “series of ominous text messages … escalated into violent, graphic cyber threats targeting the valley’s schools, students and families,” the Flathead Beacon reported Oct. 5.
The threats forced the closure of more than 30 schools for three days.
The FBI determined the attack was the work of a sophisticated overseas cyber crime group called The Dark Overlord Solutions and found “no credible threat of physical violence.” But the organization stole vast amounts of medical data, names, addresses and contact information for past and present students and posted it on a publicly accessible web site. The full extent of the hack is unknown.
While Colorado school districts are not among those known to have been targeted so far, Terry Bradley, chief technology officer at PLEX Solutions in Colorado Springs, said they should “absolutely” expect to see this kind of attack increase.
“The prize the cyber criminals are going after is data and personal information, and school districts have lots of that in terms of staff, in terms of students,” he said. “There’s been a long history of hackers using their access to do different kinds of extortion. I think this is just a further type of development of that extortion mindset.
“Hackers are constantly looking for more [extortion methods] and now personal information has become such a lucrative source,” Bradley added. “I mean, you’ve got everything right there at your fingertips to contact these people directly — and instead of extorting one entity, now you can extort many.”
The threat is all the more worrying because many school districts are struggling with cyber defense.
“In my experience, a lot of school districts are not very well protected,” Bradley said. “They’re operating with very limited IT resources and it’s very rare to find a school district that has a person who’s focused on security.
“Most — if they have IT staff — are exclusively looking at keeping the network working, installing things, implementing new features, new applications; it’s all focused on functionality and availability. They’re not equipped, in most cases, to handle these attacks or to understand how vulnerable they are.”
Academy School District 20 Chief Information Officer Shelley Kooser said D-20’s decision to prioritize cybersecurity is about protecting the district’s reputation as well as protecting student and staff information.
“It’s a multifaceted approach to keeping the data secure and safe,” she said. “There are several things that we’re doing because I don’t think there’s just one thing you can do.”
D-20 pays for ongoing penetration testing — a kind of ethical hacking that locates and exploits a system’s security flaws — including monthly external scans. The district also started encrypting staff laptops this year, Kooser said.
“That’s a big thing. … Data is held in major data systems, however sometimes staff — whether it be nurses or the special education department — may have to have forms on their laptops that have sensitive information,” she said, “so we have started that encryption process on those laptops in case they get stolen or lost.”
Kooser said D-20 also boosted the protection of students’ personal information by complying with the new Student Data Transparency and Security Act in July, several months before the required deadline.
Beyond Montana, the Dark Overlord group is also known to have attacked Johnson Community School District in Iowa. Splendora School District in Texas and Crenshaw County Schools in Alabama suffered similar attacks, although the group was not named in those cases.
In Columbia Falls, hackers demanded Bitcoin payment in return for ending the threats and destroying the data they had stolen, threatening that if the ransoms were not paid, “we will escalate our use of force in a tiered process that will involve an ever increasing level of damage and harm for you.”
Bradley said while spending in cybersecurity is often reactive, school districts can’t afford to wait until after they are attacked.
“In this case the handwriting is on the wall, that school districts need to get prepared for this, they need to up their game because they’re clearly a target,” he said. “This isn’t speculation on the part of information security professionals trying to sell things; this is really happening and I think that the days of hoping to dodge the bullet are over.”
Bradley said school districts should commission security audits or penetration testing “to make sure you’re really protected like you think you are.”
It’s an area of cybersecurity where many districts don’t spend enough, if they spend at all.
“There also needs to be a lot of focus on detection,” he said. “We know banks are not invulnerable to bank robbers and houses are not invulnerable to burglary. … On the cyber front it’s the same way: Determined cyber criminals are going to get into networks, they’re going to get into systems at some point. We need to have better detection to know when that happens.
“You also need some hardening in your network,” he added. “School districts need to make sure they’re encrypting data inside their network — so when the bad guy gets in your house, all the valuables are not sitting on the kitchen table.
“There’s a variety of ways that attackers get into school districts. If everything is unencrypted on the inside then it’s just going to be a field day for them.”
The U.S. Department of Education’s cyber advisory urges school districts to:
• Conduct security audits and update systems;
• Routinely create and review proper audit logs;
• Train staff and students on data security and phishing/social engineering awareness; and
• Review all sensitive data to verify outside access is appropriately limited.