The K-12 Cyber Incident Map is peppered with markers showing school cybersecurity breaches — and its author says that’s just the tip of the iceberg.
“The numbers I have are an under-count,” said Doug Levin, president of EdTech Strategies LLC.
Feedback from school district IT leaders and cybersecurity vendors, he said, “is that ‘This is really interesting information — and by the way, it’s way worse than what you are seeing.’”
The interactive map goes hand-in-hand with Levin’s report, “The State of K-12 Cybersecurity: 2018 Year in Review,” which aims to throw light on the cyber threats and risks facing K-12 schools, students and educators.
While cyber breaches at K-12 schools have been included within larger data sets in some other cybersecurity reports, the report said, what’s still missing is “a K-12 specific lens on the issue” that will give school leaders and policymakers information they can act on.
The map (online at k12cybersecure.com/map) is an effort to build a picture of the state of cybersecurity in public K-12 schools and districts as they increasingly lean on IT systems for teaching, learning and school operations — and therefore face skyrocketing cyber risks. While publicly reported attacks are happening at a rate of one every three days, schools are lagging when it comes to putting protections in place.
“You’d be hard pressed to find anyone in a school district with ‘digital security’ in their title. You’d be very, very hard pressed,” Levin said. “And yet they may have dozens, if not hundreds, of IT products in use. They may have thousands of devices — not just in the classroom but managing their HVAC systems and telephone systems; things like smart boards, projectors, bell systems and printers may be internet connected. And these are all computers and they can all be compromised — and there are a multitude of examples of that.”
Despite their broad exposure to cyber risk, Levin said, school districts tend to have fewer IT staff compared to other organizations, their technology systems tend to be older because they don’t have money to keep them up to date, and decision-making about technology tends to be decentralized — individual schools and teachers are often making choices about technology products.
Rodney Gullatte Jr., founder of Firma IT Solutions & Services, gives the example of a Colorado Springs charter school that required a 21-page student registration packet via Yahoo mail, which is known to have been breached.
“They were asking for the kid’s Social Security number, a copy of the kid’s birth certificate, they wanted financial information for the reduced[-cost] meal plans, they wanted emergency contacts … and now you’ve got this packet that’s a wealth of personal, private information that a hacker would love to get his hands on — and they want you to send it to the school’s Yahoo account. Yahoo! That’s all they had!
“… You can’t put your information in gmail.com, in Google Drive,” Gullatte added. “It’s getting sold in real time. You can’t use Yahoo, my goodness, for your school email. Every single one of those registration packets that was sent to Yahoo has been breached — all of them.”
That’s one example. So how big is the problem?
No one really knows.
The K-12 map identifies 122 publicly disclosed incidents across 38 states in 2018, “and that’s the floor,” Levin said. “The number of actual incidents may easily be 10 or 20 times that number.”
The real scale of the problem is impossible to pin down because so many cyber incidents go unreported — schools and school districts are reluctant to report them for fear of negative publicity; reporting requirements vary significantly from state to state; and even required breach disclosures are often not publicly accessible. In addition, the report emphasizes, when schools lack cyber defenses, there can be “a considerable gap” between the cyber breaches they’re aware of, and the number that actually happen.
How bad are the risks?
An effort to face the magnitude of schools’ cybersecurity challenge is critical, Levin said, because the fallout from these cyber incidents can be severe.
“I’ve seen the scamming of school districts out of hundreds of thousands or even millions of dollars,” he said.
And he points out that schools readily plan for risks that are unlikely but dire, like blizzards, fires, tornadoes, or school shootings, but many don’t prepare for cyber disasters.
“No one would argue a school shooting isn’t incredibly significant, but if you look at the math it’s not likely that a school would face this threat,” he said. “But you put in place a plan and some controls to minimize the chance of something happening, or being able to respond more quickly when it happens.
“I would argue that cybersecurity incidents are probably a similar class of risks facing schools. As they’ve adopted technology and they rely on it not just for teaching and learning but for administration and operations, losing access to these systems is significant, the data that are in there are quite valuable.”
Even though “we don’t think of schools as being rich,” Levin added, they manage large amounts of money, as well as buildings, facilities, transportation and food services.
“Depending on the size of the school district, they could have tens of thousands of students and thousands of employees,” he said. “There’s a lot of people, there’s a lot of money, and we’ve seen … issues of identity theft and tax fraud, we’ve seen school systems scammed out of hundreds or even millions of dollars, we’ve seen schools knocked offline by malware or denial of service attacks for weeks at a time, and where they’ve lost data — permanently. Those are significant incidents.”
The FBI weighs in
In September, the FBI issued an alert titled “Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students,” which stated that “U.S. school systems’ rapid growth of education technologies and widespread collection of student data could have privacy and safety implications if compromised or exploited.”
The types of data at risk, according to the FBI, include: personally identifiable information; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the alert said.
What’s the worst that could happen?
According to the FBI, the widespread collection of sensitive information via education technologies presents “unique exploitation opportunities” for criminals.
“For example, in late 2017, cyber actors … [hacked] into multiple school district servers across the United States,” the alert said. “They accessed student contact information, education plans, homework assignments, medical records and counselor reports, and then used that information to contact, extort and threaten students with physical violence and release of their personal information … and stated how the release of such information could help child predators identify new targets.”
The State of K-12 Cybersecurity covered that threat in 2017, and in the 2018 report, publicly disclosed incidents alone included the following.
• 46 percent of all K-12 digital data breaches included data about current and former school staff (from payroll or other personnel records) which, in some cases, led to payroll theft, identity theft and the filing of false tax returns.
• Phishing attacks targeted school district business officials and redirected large payments from legitimate school contractors to criminal accounts. (The largest totaled approximately $2 million in losses by a Texas district.)
• IT outages caused by malware on school tech systems dragged on for weeks. In some cases, school districts paid ransoms to regain access to systems.
• Just over half of all digital data breach incidents were directly carried out or caused by “insiders” — staff or students — whether maliciously or by mistake.
• Student data were compromised in more than 60 percent of K-12 data breaches.
Students’ information is particularly attractive to criminals, Levin said.
“When it’s student identity information, they’re using it to open new accounts,” he said, “and they’re able to exploit those accounts in some cases for many, many years — really until kids are 18 and they start to open up their own accounts and find they actually have a credit record, and that it’s been ruined.”
Why is school cybersecurity failing to keep pace with the risks?
“It’s only really within the last five years that schools are actually relying on technology in pretty fundamental ways,” Levin said. “It was always available, but it was sort of a nice-to-have, not a need-to-have. Within the last few years schools are relying on technology more than they ever have — not just in the classroom but for school operations. So while those incidents may have occurred before … the consequences are now much graver than they were.”
The Colorado incidents shown on the map don’t represent the full tally of cyber breaches in the state’s K-12 system, and Levin hasn’t yet had the resources to systematically compare state laws on cyber breach disclosure requirements.
“As such, I can’t say with confidence how Colorado compares to other states,” he said.
But the report’s lessons are relevant nationwide:
1. Publicly disclosed incidents do not give the full picture of the cyber risks to schools.
2. Cyber incidents do not seem to discriminate by school location, community type or size.
3. The impact of publicly reported K-12 cyber incidents is significant, with incidents in 2018 resulting in “the theft of millions of taxpayer dollars, stolen identities, tax fraud, altered school records, website and social media defacement, and the loss of access to school technology and IT systems for weeks or longer.”
Levin emphasized that even those without ties to any school district should be concerned.
“I’ve also argued unsecured school technology poses a public risk,” Levin said. “Denial-of-service attacks are frequently launched from unsecured computers, including school computers, and they may target business or other critical infrastructure. Likewise, unsecured school networks may enable the spread of malware, botnets, be engaged in cryptocurrency mining, and/or online ad fraud.
“So, it is fair to say that even if you do not have children in schools or a direct connection to a district, there are public risks associated with lax cybersecurity practices of organizations that may expose thousands of devices to the internet.”