K-12 Cyber Incidents Escalate, Report Shows

Recently K12 Security Information Exchange (K12 Six) released its annual State of K-12 Cybersecurity, Year in Review. K12 Six has been tracking cybersecurity incidents in K-12 for several years and has been attracting a following among school district Information Technology (IT) leaders. They are perhaps best known for their heat map which is a visualization of publicly disclosed school cyber incidents from 2016 to now. Besides the map and this research, they are an information exchange where IT leaders can learn from each other, leaders in the cybersecurity field, and cybersecurity vendors.

cover of The State of K-12 Cybersecurity: Year in Review
2022 Annual Report that show cyber incidents in K-12

The definitive annual report series on cyber incidents affecting U.S. public elementary and secondary (K12) education institutions. Based on a data source that the U.S. Government Accountability Office (GAO) found to be the “most complete resource that tracks K-12 cybersecurity incidents, including student data breaches.”

U.S. Government Accountability Office (GAO)
Number of Publicly-Dislclosed K-12 Cyber Incidents by Incident Type 2016-2021. Data steadily rising for data breach, ransomware, BEC, DDOS, Invasion, and other to total about 1300 cybersecurity incidents.
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The report itself tells us what we already know: there is a growing number of cybersecurity incidents in school districts. But, it provides specific numbers, categories, and examples that drive home the problem. Note that K12 Six reports that the reporting is not what it should be. Based on anecdotal evidence, incidents occurred perhaps 10 to 20 times more often than reported.

2021 was Unique

2021 had some unique variables that may have caused the increase. With the pandemic and remote learning, a new cyber incident became evident. Dubbed “zoombombing” or class invasion, these incidents rocked the virtual classrooms of the United States. Vendors and users implemented technical and operational controls respectively to blunt this threat. Luckily, learning from mistakes and the return to the classroom should diminish this threat.

Also, 2021 became the year school districts became more aware of the need for and requirements of cyber insurance. While many school districts had insurance, they did not meet the stricter requirements of their insurer. Insurance companies got slammed over the previous years with the rise of ransomware, and now were enforcing a set of requirements on districts to keep their policies in force. With both the increased media attention to cyber incidents and the new insurance requirements, district leaders and board members, not just IT or Risk Management, began to focus on cybersecurity. So 2021 wasn’t all bad!

Ransomware – #1 Cyber Incident

Of all the cybersecurity incidents, the top incidents were ransomware, data breaches, and class meeting invasions. Ransomware, for the first time, is the top threat. In 2021 62 K-12 districts across 24 different states reported ransomware cybersecurity incidents. 2021 was the third year with over 50 incidents. Unlike a data breach, ransomware often results in class cancellations, school closures, and a breakdown of district core operations.

The Baltimore Sun headline:
Ransomware attack cripples Baltimore County Public Schools. No timeline for return to class.
The Baltimore Sun headline

The report outlines striking examples that include Baltimore County (MD) Public Schools where the cost of ongoing recovery from a Ryuk ransomware attack grew to nearly $9.7 million dollars and closed school for days and limped back for weeks.

The Buffalo News headline
The Editorial Board: Ransomware attack on Buffalo schools show again the need for strong security.
The Buffalo News headline

Similarly, the Buffalo School Board approved spending nearly $9.4 million on IT consultants to respond to a ransomware attack in March 2021.


Data Breaches

Initiator of K-12 Data Breach/Leak Cyber Incidents: 2016-2021
K-12 Vendor 55%
Other / Undisclosed 24%
Staff 14%
Students 7%
K12 Six The State of K-12 Cybersecurity 2022 Annual Report

The most significant vector for student and teacher data breaches, the loss of personally identifiable information (PII), remains school district vendors and other trusted non-profit and government partners, not the districts themselves. An exception to the Family Educational Rights and Privacy Act, or FERPA, allows districts to transfer the role of a so-called “school official” allowing a district to share educational records with third parties as part of outsourcing service that it lacks the capacity to perform itself. Although allowed, districts must vet these 3rd party vendors from the large Software as a Service (SaaS) ubiquitous in Student Information Systems (SIS) and Learning Managementment Systems (LMS) to the smallest EdTech vendors.

Another significant source of K-12 data breaches is school district staff and school board members,
who inadvertently share the PII of students and/or staff in the course of their duties. Two common examples are losing an unencrypted district device or emailing a spreadsheet of data.

The other K-12 cyber incident types disclosed during 2021 as reported by K12 Six include:

  • Business Email Compromise (BEC) where district emails are spoofed or stolen to fraudulently request gift cards, W-2s, and invoice payments;
  • Class Invasions where malicious actors gain access to classes or meetings;
  • Email invasion where the district email system is breached for spamming;
  • Website and social media access where lack of controls leads to defacement or worse by a 3rd party;
  • Denial of Service (DOS) attacks to bring down systems and testing periods.

Responsibility for Cyber Incidents

The research shows where most of the incidents are occurring. Incidents per 100,000 students, which compensates for the size of the district, show that the states of Montana, North Dakota, Connecticut, Maine, and Hawaii have more than their expected share of K-12 cybersecurity issues. Larger school districts and wealthier ones appear to be at a greater risk of cybersecurity incidents than small school districts and lower-income districts. This may be because cybercriminals are targeting districts with more money and the ability to pay a ransom.

So who is responsible and why do these incidents keep occurring? K12 Six found 4 groups.

  • Teachers, administrators, and board members who have a lack of training
  • Tech-savvy students who are not monitored
  • Suppliers and vendors who are not properly vetted
  • Cybercriminals (of course) who realize that school systems are “soft targets”

Key Finding

There is a lot of great information in the K12 Six report that is backed up by well-researched data. While they come up with several conclusions, there is one main point that comes from the data. K-12 school districts need to implement commonsense cybersecurity controls and practices. As a district leader, you do not want to risk the money, lose productivity and class time, or get on the K12 Six K-12 Cyber Incident Map. Read the full report here: The State of K-12 Cybersecurity Report Series — K12 SIX.

Next Steps

Tech Reformes is hosting a webinar, The Ransomware Hostage Rescue Checklist: Your Step-by-Step Guide to Preventing and Surviving a Ransomware Attack. In this webinar Roger A. Grimes, KnowBe4‘s Data-Driven Defense Evangelist and security expert with over 30-years of experience will take you step-by-step through best practices for preventing ransomware attacks and a post-attack response plan. Join us May 11, 2022 11:00 am PDT, 2:00pm EDT. Don’t be a victim of the #1 cybersecurity threat in K-12.

New Webinar
The Ransomware Hostage Rescue Checklist:
Your step-by-step guide to preventing and surviving a ransomware attack. Avoid cyber incidents!
  • Share This Story

about author

John Krull

jkrull@techreformers.com

John Krull is the Founder and President of Tech Reformers, LLC. Tech Reformers is a cloud service provider focused on K-12 Digital Transformation. Areas of practice include Infrastructure, Cloud Adoption, Managed Services for Cybersecurity, Student Safety, Disaster Recovery, and Content Services. John is a former CIO at Seattle Public Schools and former CTO at Oakland Unified School District. Prior to 15 years leading school system technology, John worked at Microsoft and various startups implementing web and video technologies. John began his long career as a teacher.