Hackers are increasingly targeting school systems around the nation with cyberattacks.
The New York Times reports that school districts have proved particularly enticing to hackers because they hold troves of private data and schools often lack the resources to fend off intruders.
Nearly two-thirds of school districts in the United States serve fewer than 2,500 students, and many do not have a staff member dedicated solely to cybersecurity, according to Keith R. Krueger, the chief executive of the Consortium for School Networking.
Some hackers demand ransom from school systems; others collect data for sale to identity thieves.
In Louisiana, Gov. John Bel Edwards declared a state of emergency after a virus disabled computers at three school districts, including one in which the virus also knocked out the district office’s phone system.
The Internal Revenue Service warned in 2017 that a scheme to target confidential tax data had “evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.”
It may be a while before schools’ defenses are able to catch up with the hackers who target them, says Eva Vincze, a faculty member in the cybersecurity and police and security studies programs at George Washington University.
“Most school systems, especially in small communities, do not have the resources to keep up with each generation of threats that bad actors come up with,” Vincze says. Schools may put themselves at risk by having “the same mentality that is pervasive in the business sector: ‘It won’t happen to us.’”
Cyberattacks on school districts and other organizations begin when an employee opens an email that appears to have come from a supervisor or even the district superintendent, but in fact carries malware that compromises the employee’s computer and the district’s network.the
The Syracuse (N;Y.) school district, which was the victim of a cyberattack on July 8, says its insurance policy will cover the cost of regaining access to its computer systems, minus a $50,000 deductible. The district did not disclose the cost of combating the cyberattack.
School officials in the Houston County (Ala.) district have had to delay the first day of classes by four days because of a cyberattack. Officials have been reticent to disclose specifics of the attack or whether the attackers demanded ransom.
Superintendent David Sewell says that when the schools do open, teachers may not be able to use their computers.