During an early morning staff call, instructors at a middle school in New Mexico’s largest city got their first idea of a major technology problem.
There were shout-outs for a new custodian’s hard work on the video, as well as the usual statements from administrators and the union rep. However, there were clues of a brewing catastrophe throughout the conversation. Nobody had access to attendance data, and no one had access to class rosters or grades.
The outage, which prevented access to the district’s student database, which also includes emergency contacts and listings of which people are permitted to pick up which children, was subsequently verified by Albuquerque administrators to be the result of a ransomware assault.
Sarah Hager, an art teacher at Cleveland Middle School, stated, “I didn’t understand how crucial it was until I couldn’t use it.”
Cyberattacks like the one that forced Albuquerque’s largest school district to suspend classes for two days have become a rising menace to American schools, with many high-profile occurrences documented since last year. And the coronavirus outbreak has exacerbated the problem: more money is being demanded, and more schools are being forced to close as they try to retrieve data or delete all computers manually.
“Incidents have been increasing in frequency and severity in pretty much any way you cut it,” said Doug Levin, head of the K12 Security Information Exchange, a Virginia-based charity that helps schools guard against cybersecurity risk.
Because most schools are not compelled to publicly report cyberattacks, precise data is difficult to come by. Experts claim, however, that public school systems, which generally have inadequate finances for cybersecurity expertise, have become an attractive target for ransomware gangs.
The epidemic has also caused schools to shift more toward virtual learning, increasing their reliance on technology and rendering them more exposed to cyber-extortion. Schools in Baltimore County and Miami-Dade County, as well as schools in New Jersey, Wisconsin, and others, have had their instruction disrupted.
Since 2016, Levin’s organization has recorded over 1,200 cyber security incidents at public school districts throughout the country. There were 209 ransomware attacks, in which hackers encrypt data and demand payment to decrypt it; 53 “denial of service” attacks, in which attackers sabotage or slow a network by faking server requests; 156 “Zoombombing” incidents, in which an unauthorized person intrudes on a video call; and more than 110 phishing attacks, in which a user is duped into letting a hacker into their network by a deceptive
Schools are also dealing with a slew of additional issues relating to the epidemic as a result of the recent attacks. When teachers become ill, there are no substitutes available. Where strong virus testing methods exist, tests and staff to administer them are not always available.
In New York City, a cyberattack last month on third-party software vendor Illuminate Education did not result in class cancellations, but it did prevent instructors from accessing grades across the city. The disruption, according to local media, contributed to the stress of instructors who were already combining lessons with implementing COVID-19 regulations and covering for sick or quarantined colleagues.
Getting all kids and employees online during the epidemic, according to Albuquerque Superintendent Scott Elder, opened more ways for hackers to get access to the district’s system. He highlighted this as a factor in the ransomware assault on Jan. 12 that resulted in the cancellation of lessons for 75,000 pupils.
The cancellations, which Elder dubbed “cyber snow days,” offered technicians a five-day window over the holiday weekend to reset the databases.
According to Elder, there is no proof that hackers stole student information. He wouldn’t disclose whether the district paid a ransom, but said if it did, there would be a “public procedure.”
The hack, according to Hager, the art instructor, created tension on campus in ways that parents were unaware of.
Because the fire alarms were not working, fire exercises were canceled. The intercoms were no longer functional.
As positive test results poured in, Hager claimed, nurses couldn’t figure out where the kids were. “As a result, there might have been ill kids on campus.” It also appears that the breach erased a few days’ worth of attendance records and grades permanently.
Edupoint, the company that makes Synergy, Albuquerque’s student information database, declined to comment.
To avoid exposing more flaws in their security systems, many institutions seek to keep attacks under wraps or share little information.
“It’s really difficult for school districts to learn from one another because they’re not supposed to talk about it because you could disclose weaknesses,” Elder explained.
Last year, the FBI issued a warning about a group known as PYSA, or “Protect Your System, Amigo,” claiming that the organization’s attacks on schools, universities, and seminaries had increased. Conti, one of the nation’s top ransomware gangs, requested $40 million from Broward County Public Schools last year.
The majority are Russian-speaking ethnic communities residing in Eastern Europe who are protected by tolerant governments. If they aren’t compensated, some will upload data on the dark web, including very sensitive material.
Ransomware gangs tended to target smaller school districts in 2021 than in 2020, according to Brett Callow, a threat analyst at the firm Emsisoft. While attacks on larger districts garner more headlines, ransomware gangs tended to target smaller school districts in 2021 than in 2020, according to Brett Callow, a threat analyst at the firm Emsisoft. He believes this indicates that larger districts are boosting their cybersecurity investment, while smaller districts, which have less money, remain susceptible.
A ransomware assault brought down the Synergy student information system at the 1,285-student district of Truth or Consequences, south of Albuquerque, a few days after Christmas. Officials there compared it to being robbed in their home.
“It’s simply a sense of helplessness and bewilderment as to why someone would do something like this because, at the end of the day, it’s robbing our children.” Superintendent Channell Segura stated, “And to me, that’s simply a terrible approach to attempt to, to obtain money.”
The school did not have to cancel lessons because the attack occurred during the summer holiday, but the network is still down, as are the keyless access locks on the school’s doors. Teachers are still carrying the actual keys they had to locate at the beginning of the year, according to Segura.
President Joe Biden signed the K-12 Cybersecurity Act in October, which directs the federal cyber security agency to offer suggestions on how to better secure school networks.
New Mexico legislators have been sluggish to promote internet use in the state, much alone support cyber security education in schools. State legislators presented a bill last week that would provide the state education department $45 million to develop a cybersecurity curriculum by 2027.
Teachers typically need to put in extra time to come up with ideas on how to avoid future hacks and recover from existing ones.
Parents fought on Facebook in the days after the Albuquerque assault over why schools couldn’t just convert to pen and paper for things like attendance and grades.
Hager said she even heard her mother, a retired schoolteacher, criticize her.
“I told her, ‘Mom, you can only take attendance on paper if you’ve already printed out your roster,'” Hager said.
Teachers might also store duplicate paper copies of all records, but this would add to their already-heavy clerical workload.
“These systems should work,” Hager argues, at a moment when administrators are increasingly requiring teachers to document everything digitally.
