Data Security

K-12 Cyber Strikes Cost Millions Last Year

• By Dian Schaffhauser
• 02/19/19

K-12 underwent 122 known cybersecurity incidents last year, hitting 119 different education agencies in 38 states. The result was the "theft of millions of tax payer dollars, stolen identities, tax fraud and altered school records," according to the K-12 Cybersecurity Resource Center, an organization that tracks cyber incidents in schools.

The most frequent forms of digital break-ins reported during the year fell into one of four categories, according to a report examining trends in education cybersecurity issued by the center:

• Disclosure of data by staff members, both current and former, almost always owing to human error;
• Disclosure of data held by vendors or outside organizations working with the district;
• Access to data by students themselves, whether out of curiosity or because they wanted to modify school records, such as grades, attendance records or financial account balances; or
• Access to data by "unknown external actors," most often for malicious purposes.

According to "The State of K-12 Cybersecurity: 2018 Year in Review," student data showed up in more than 60 percent of the K-12 data breaches that took place in 2018, That's a "cause for concern," wrote author Doug Levin. First, he pointed out, it goes against federal and state regulations on student data privacy that are intended to reduce the incidence of student breaches; second, that stolen data is showing up on "dark web marketplaces," where it can be bought and exploited by identity thieves.

Another big area of concern: the number of successful phishing attacks targeting school staff and "intended to redirect large payments from legitimate school contractors/partners to criminal accounts." The largest attack cost a Texas district about $2 million; additional strikes in school systems in Idaho, Louisiana, New Jersey and Texas cost those districts between $300,000 and $988,000.

The data used for the 2018 report was drawn from publicly disclosed events, all of which have been cataloged on the Center's K-12 Cyber Incident Map. Since the 2016 creation of the map and its underlying database, Levin said he has documented more than 415 publicly disclosed incidents — one every three days, he noted.

The report offered some lessons for school leaders and IT and security professionals:

• The cyber incident map is probably underreporting. Many incidents never go public, and many school districts don't know yet that their systems have been breached.
• There isn't any type of school or size or location that makes for a good target or bad. "Indeed," Levin wrote, "if school technology is accessible over the internet, mistakes can and do occur; malicious actors can and are taking note."
• The impact of the reported incidents "is significant." It includes the loss of "tax payer dollars, stolen identities, tax fraud, altered school records, website and social media defacement" or the downtime at schools that can spend weeks cleaning up after cyber break-ins. But it also jeopardizes something else that's even more valuable: "Due to such incidents, parent, educator, student, taxpayer, and policymaker trust in education technology is being placed increasingly at risk," Levin stated.

"Make no mistake: keeping K-12 schools 'cyber secure' is a wicked problem — one that is assured to get worse until we take meaningful steps to address it," he said in a statement. "This report and the ongoing work of the K-12 Cybersecurity Resource Center are only small, but necessary steps in a much longer journey."

The publication of the 2018 report was made possible with the support of Core BTS, Managed Methods, and PC Matic PRO.

The report is openly available on the Center's website.