According to a report from the K-12 Cybersecurity Resource Center, the K-12 public school districts and education agencies across the U.S. suffered a total of 348 cyberattacks in 2019, which is three times more incidents that were disclosed in 2018. The report, “The State of K-12 Cybersecurity: 2019 Year in Review,” stated that most of the attacks that were significant resulted in the theft of millions of dollars, stolen identities, denial of access to school technology and IT systems for weeks. The effect of such attacks on educational institutions resulted in loss of personal information, including student grades and qualifications, teacher employment and payroll information, and family records and medical health records.
The report also highlighted that 775 cybersecurity incidents impacted students and educators since 2016, in which over 50% of them were due to insiders in the school community, including vendors and other third-party partners. The second most frequent type of security incident suffered by schools, according to the report, was ransomware attacks.
Douglas A. Levin, President of EdTech Strategies and report author, said, “There are important steps policymakers, IT leaders, and educators can collectively take to help mitigate the cyber risks facing school districts. These include investing in greater K-12 IT security capacity, mandating baseline K-12 cybersecurity risk management practices via regulation and supporting enhanced information sharing and research.”
Ransomware Attacks on K-12 Schools
According to a report from Emsisoft, an anti-malware and anti-virus service provider, there were around 86 universities, colleges, and school districts impacted, which in turn disrupted operations of nearly 1,224 individual schools due to ransomware attacks. The report also shared a list of top three incidents of public schools being affected by ransomware attacks:
Louisiana public schools: In July 2019, Louisiana Governor declared a state of emergency after three public school districts fell victim to ransomware. A State of Emergency was re-invoked in November when another ransomware attack affected 10% of Louisiana’s 5,000 network servers and more than 1,500 computers.
Rockville Centre School District: On July 25, 2019, Ryuk ransomware hit Rockville Centre School District. The district’s insurance carrier negotiated the ransom demand of US$176,000 down to US$88,000, which was covered by them.
Las Cruces Public Schools: In late October 2019, a ransomware attack infected thousands of servers and devices in Las Cruces Public Schools, New Mexico. The district disagreed to pay the ransom and instead ended up reformatting close to 30,000 devices.
K-12 Cybersecurity Act
K-12 district schools have been a soft target for cybercriminals. To address the same, two U.S. Senators, Gary Peters (Michigan) and Rick Scott (Florida), both members of the Senate’s National Security and Government Affairs Committee, have tabled a new bill called “K-12 Cybersecurity Act” in December 2019.
The K-12 Cybersecurity Act was introduced to address the rising threat prospective on K-12 schools. The Act directs the DHS Cybersecurity and Infrastructure Security Agency (CISA) to first study the specific cybersecurity risks associated with K-12 educational institutions. Once the study is done, CISA will then be responsible to develop cybersecurity recommendations and set up online tools to help schools with their cybersecurity requirements.