Ransomware Attacks Shut Down City Services in Atlanta and Baltimore, Now Spreading to School Districts. How Can Schools Protect Themselves?
Columbia Falls School District was in trouble. What started as a strange text message on the superintendent’s phone one day in mid-September 2017 had quickly become an email and then a chain of emails sent to school officials and parents threatening graphic violence in the district south of Montana’s Glacier National Park.
And then, finally, there was the letter.
“We know who you are, Columbia Falls. We know everything about your operation. We know everything about your schools and the children in them,” it read, addressed to the district’s Board of Trustees.
“If you receive a message from us, it means you have been completely and thoroughly attacked and breached by an organised entity of creatures who are motivated only by their love for internet money.“
Superintendent Steve Bradshaw and his colleagues now recognize that these messages were the first signs of a districtwide cyberattack. This was ransomware, the technology that made headlines this spring for bringing civic operations in Baltimore to a halt. The malware takes hold of victims’ data and the hackers then threaten to publish or delete the information if the ransom isn’t paid.
Hackers have used ransomware to extort individuals for years, but their focus on larger businesses and public entities is becoming more common now, says Josephine Wolff, assistant professor of public policy at Rochester Institute of Technology. School districts, data-rich and often lacking ironclad cybersecurity, have emerged as an increasingly vulnerable target.
“Nefarious actors have determined that schools are large repositories of information and also potential targets, given that they can be varied in the technical expertise and the funding that they get to protect the data that they have,” said Amy McLaughlin, cybersecurity and network consultant for the Consortium for School Networking, based in Washington, D.C.
Just this year, schools districts in Idaho, Connecticut and New Mexico were all hit with ransomware attacks. Just this month, it was Syracuse city schools, one of New York’s so-called Big 5 districts. In mid-May, Oklahoma City Public Schools, a district with about 45,000 students, temporarily shut down its network after a ransomware attack. The recovery services it solicited were estimated to cost between $43,175 and $103,840.
In 2018, Public K-12 schools reported 122 cybersecurity incidents, according to the K-12 Cybersecurity Resource Center, based in Arlington, Virginia. Of those, 11 were connected to ransomware.
Hacking into networks and stealing data isn’t a new phenomenon. But ransomware is unique in that it monetizes data that wouldn’t typically be lucrative. There isn’t an easy way to sell a third-grade class’s reading scores or a seventh-grader’s disciplinary records. But schools need this information to operate — and many families don’t want it made public.
“On the surface, that is not information that is worth money to anyone, but hackers know … that it has value to the individuals whose data it is and also to the school district as a whole,” says Amelia Vance, director of the Education Privacy Project at the Future of Privacy Forum, also based in D.C. “It is valuable because we find it valuable.”
Before the letter arrived, Bradshaw didn’t know that the violent threats sent to people in his district were at all related to a cyberattack. He brought security in to patrol campuses, closed school between Thursday and Tuesday that week and canceled a weekend homecoming game. Even private schools and a community college temporarily shuttered their doors.
Once the letter arrived, though, he was forced to change course quickly. The hackers, who had found his and others’ contact information through the school’s network, were demanding a monumental ransom. They had entered the network through a vulnerable server left running over the summer, and now they proposed three payment plans, with one option that would total $150,000. If not, the district’s valuable data, including student names and addresses, would be published.
“Imagine if we published student grades and even … student work. How about nurse reports and private health information? What would the parents have to say about this? What sort of lawsuits would they begin?” the letter threatened.
Data is now as much a part of most public schools as books or whiteboards. School administrations track where students live, the medications they take and a host of other figures. The Every Student Succeeds Act requires detailed records on student performance. Many teachers use interactive apps and online programs, some of which record student internet activity — even though this violates federal law.
The attack against Columbia Falls didn’t shut school officials off from their data. But many more recent ransomware strikes do. Losing access to this information can be devastating.
“A ransomware attack … would take away access to a student’s transcript that they need to apply for a job. It would take away access to who is in attendance,” says Vance. “It really does shut down the abilities of schools to do almost everything in this day and age.”
And once those operations are cut off, schools face the agonizing decision of whether or not to pay the ransom. Hackers typically request payment in Bitcoin, a cryptocurrency notoriously difficult to track. Unlike most corporations, schools districts deal with public scrutiny on ransom negotiations. Wolff says public entities are generally more reluctant to pay for that very reason.
If public entities, including schools, “are going to make ransom payments, that’s going to be on the public record somewhere … I think that probably puts a little more pressure on them,” she says.
The FBI recommends against paying ransom in any circumstance. That decision can be difficult, though, since ransom payments are sometimes less expensive than paying to recover lost data and continue operating. The city of Baltimore opted not to pay a ransom of approximately $70,000 when it was first hit this spring. Its recovery is now estimated to cost $18 million.
What’s more, an investigation by ProPublica this spring showed that many companies that purport to help ransomware victims recover their lost data ultimately just pay the ransom anyway.
One major step schools can take to protect their data before they get hacked and held for ransom is simple, cybersecurity professionals agree: Collect less of it.
“One of the top privacy principles is data minimization, the idea that you should minimize data by not collecting it in the first place unless you need it, deleting it as soon as you can and only creating copies when you need to,” says Vance.
This is easier said than done, especially because public schools are subject to state data retention laws, which vary. In New Jersey, for example, state law requires public schools to keep student data, including medical records, standardized test scores and parent names, for 100 years.
“In the old days, you would get rid of information because you didn’t have the space to keep it,” said Bradshaw. “Well, when you keep it electronically, which we do … you don’t notice mistakes, so it’s even more critical from my perspective to get rid of that data in accordance with state law.”
For the data that can’t be deleted, districts should establish secure backups and keep clear records of where the information is stored. But districts also need to make a stronger effort to engage teachers and administrators throughout the year on how to be more critical about the messages they receive in their inbox and files on which they’re shared. Unlike the Columbia Falls attack, many recent ransomware attacks infect networks through phishing — in which a single person in the school clicks on a link, often one that had been emailed to them by an unknown contact.
“Things like your backup, remediation and filtering, those kinds of things only help you to a certain extent in recovery, as opposed to a really solid understanding by employees of their role, their responsibilities and what they should be looking for and learning to be suspicious of,” says McLaughlin.
Ultimately, Bradshaw’s district did not pay the ransom. They contacted the FBI and worked extensively with law enforcement. In the following weeks and months, he would discover that the ransomware was part of a campaign of attacks by the international hacker network Dark Overlord, which was responsible for scores of breaches across the U.S. and even leaked episodes of the television show Orange Is the New Black after Netflix refused to pay. Several other school districts were hit by the hackers that year.
Not paying the ransom didn’t immediately lead to Columbia Falls student data being strewn across the internet, as far as Bradshaw knows. But it did require an active information campaign: sending out about 1,200 letters to district families and holding two public meetings to discuss the potential consequences of the cyberattack.
“It’s interesting … because there are more guns than there are people in the state of Montana,” he said. “They were ready to come protect the school and the kids, and I said that’s not going to work.”
In Bradshaw’s view, cybersecurity hinges on funding. He argued that the biggest change needed to help protect schools from what his went through is to invest more in public education. Cybersecurity professionals aren’t incentivized to work for schools when they can earn much higher salaries in the private sector, he said.
“It comes down to what you can afford to put in,” he said.
Right now, swaying public opinion toward higher funding for cybersecurity remains a challenge. Wolff says the issue is growing in awareness, but she doubts it will emerge as central to any big local elections anytime soon.
Personal experience with a ransomware attack, however, might be a powerful motivator. Bradshaw’s community is mostly conservative and wasn’t always keen on raising taxes to boost cybersecurity funding in the district. But after its 2017 ordeal, he said, that started to change.
“A year later, we passed a $500,000 technology levy, which in this conservative community that’s economically hurting … for them to say, ‘We’ll pony up to pay an extra $5 a month toward that $500,000 for the school,’ was a big thing,” he said.