The US Education Department issued a warning to schools across the country about an up-and-rising cyberthreat: computer hackers are allegedly attempting to extort money from the schools, messaging them that their private records have been stolen and students will be subjected to “violence, shaming, or bullying” unless the school pays the protection money.
It’s a type of attack known as ransomware, and because school district computers are generally guarded by inadequately trained security staff or I/T personnel, schools are among our most vulnerable institutions that keep sensitive and personally identifying information (PII) about minor children. Some of that PII may include Social Security numbers, dates of birth, medical or disability records, and other information that could be used by criminals to target individual children, now or in the distant future.
CNN reports that the attacks have so far hit schools in at least three states, including the schools in Columbia Falls, Montana, where Steve Bradshaw is the superintendent. He said he received his first threatening message in mid-September. “The messages weren’t pleasant messages,” he was quoted as saying. “They were ‘splatter kids’ blood in the hallways,’ and things like that.”
The education department said in its message that schools should report all threats to local law enforcement and, optionally, to the department for monitoring purposes.
What can schools do?
Schools should ensure the security of devices and networks, perhaps by conducting a data and network security audit and making certain all the holes and ways into the systems are patched.
They should also review login and httpd logs, such as access.log, to determine where attacks are coming from and what computers are reading or, worse, POSTing to certain Web pages.
Most importantly, since these attacks may also originate as a phishing attack on individual school employees, schools should ensure proper training for teachers, students, and other school staff. Know what the best practices are for data security and social media usage.
Finally, although it is impossible to say all data needs to be stored on systems that can’t be accessed over the internet, access to all sensitive data, which includes student rosters, which might be linked back to their Social Security numbers, should be restricted to personnel on a need-to-know basis. No exceptions. As much as possible, that access should be limited to local network IP addresses, which means not even the superintendent should be able to access it from outside the school.
It may not be possible to install the security recommended, but schools should look into it. We’re going to have to trade a little convenience, because, as we discovered in the Equifax breach earlier this year, data security is paramount.
Schools just don’t invest in computing environments with great technology resources, especially resources devoted to data security. Yet we know, and criminals know, that school computer systems store a virtual treasure chest of personal information about people, data that can be used even long after it was stolen in any criminal or negligent act.
“If bad actors can access student [personal data], that information can be exploited for the purpose of fraud and committing crimes for years before it is detected,” CNN quoted Mary Kavaney, the chief operating officer of the Global Cyber Alliance, as saying. “It’s often only upon application for a job, or application for financial aid to attend college that students find out that their Social Security number has been used fraudulently—they may have poor credit due to false applications against their history, or worse, find that crime has been committed in their name.”
I’m sad to suggest schools think about something other than school subjects, but you can teach all the AP physics you want; if kids aren’t safe or don’t feel safe, they’re not going to learn.