As Cybersecurity Month 2021 looms, I am reminded of two incidents that occurred under my watch as a technology director. The first was a ransomware attack due to a Yahoo email attachment. At an elementary school, the ransomware knocked the point of sale food service computers offline. The problem had hit right after lunch. But no one reported it until late in the day. Consequently, I scrambled the team and descended on the campus at 4 p.m. on a Friday afternoon. Then, the second ransomware attack came. As a result of this attack, five years of federal reporting data went missing. With a data protection impact assessment or privacy impact assessment, the issues might have been lessened. It was all preventable if only district staff had listened to recommendations.
“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”Source: Cybersecurity in K-12 education
Recent Cyber Incidents
In August of 2021, there were 84 cyber incidents worldwide. Those accounted for 60,854,828 breached records (source). Here are a few more in the last few months, which affected school districts in the United States:
- Judson ISD (San Antonio) paid hackers $547,000 to protect sensitive information
- Missouri’s Affton School District confirms ransomware attack
- Montana’s Gering Public Schools suffers ransomware attack
- Rockwood School District provides notice of ransomware incident (77,294 affected)
- University of Kentucky data breach exposes email addresses of students and teachers (355,000 affected)
- New York City public school students exposed in data leak (3,100 affected)
- Charlotte-Mecklenburg Schools email gaffe exposes medical info on students (3,000 affected)
- Brooklyn Tech students uncovered a NYC schools data breach
- Chico State University exposed the personal information of students who requested COVID-19 vaccination religious exemptions (130 affected)
- Fresno Unified School District notified people after discovering backup device with names and SSNs was missing
September 2021 wasn’t looking any more promising than August. For example, at the time this blog entry was written, North East ISD in San Antonio, Texas reported a potential breach as well. Would anyone argue that there isn’t a problem?
Have You Seen This?
If you go to StopRansomware.gov, you will access a resource from the United States Government. Once there, you can access resources, a newsroom, see alerts, and report ransomware.
NBC News Reports Leaked Children’s Data
In their article Hackers Are Leaking Children’s Data — and There’s Little Parents Can Do, NBC News reported data breaches for over 1,200 school districts in 2021. Here is just some of the harrowing information from the article:
“Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are. Their theft can set up a child for a lifetime of potential identity theft.”
“One of those [files], still posted online, is an Excel spreadsheet. It lists approximately 16,000 students. That is, roughly, the combined student population of Weslaco’s 20 schools last year. It lists students by name and includes entries for their date of birth, race, and gender. Social Security number is indicated as well as whether they’re an immigrant, homeless, marked as economically disadvantaged. It also flags those potentially dyslexic.”
Safeguarding Sensitive Data
What can students and their parents do? Check out some suggested steps, including freezing student credit while they are still underage.
You can also get a copy of my free guide Safeguarding Sensitive Data: Data Breach Prevention and Response Plan. It’s available as a Google Doc or an electronic ebook (ePub format). In it, you will find suggestions on prevention. You will also find policies to put into place which I developed to guide my school district’s efforts. Is your organization ready for ransomware and data breaches?
Explore Relevant Resources
In the meantime, what can school districts do? Focus on prevention with proactive measures instead of being reactionary. Most importantly, safeguard against ransomware and cyberattacks. In addition, provide professional learning for all staff on how to protect sensitive data. Finally, take the time to review cybersecurity resources and guides like the resources I provide here.
Resource #1: The Cybersecurity Workforce Training Guide
Not sure where to start? Explore the Cybersecurity Workforce Training Guide released in August of 2021. The guide helps professionals develop a training plan. It also provides over 100 training resources and certification prep courses for technical support. The guide is interactive and available online. At the very least, it suggests that this topic requires study.
Resource #2: National Standards for Districts
In August of 2021, the K12 Security Information Exchange (K12 SIX) shared resources that include protective measures every school district should put in place.
Resource #3: Cybersecurity K-12 Fact Sheet
Need assistance in selling the message? Grab a copy of the Cybersecurity K-12 Fact Sheet. It can help you explain the complexities of protecting your school’s data assets. For this purpose, it covers a wide variety of topics, including cyber insurance. Another great resource to consider is The Data Breach Survival Guide.
Resource #4: Statewide Cybersecurity Awareness and Training
Looking for a starting point aside from what has been shared above? Take a look at Texas’ Statewide Cybersecurity Awareness Training website. You may also find the Texas Cybersecurity Council resources worth looking into. As you may not know:
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs requires DIR, in consultation with the Texas Cybersecurity Council, to certify at least five cybersecurity training programs for state and local government employees and Section 2054.5191 requires state and local government employees to complete a certified training program. The statute also requires state and local government employees to complete a certified training program.
School districts only need to have a cybersecurity coordinator to receive the training. A reporting form is available online.
Start the Work
Cybersecurity Month (October 2021) may be the time your organization takes cybersecurity, protecting against data breaches, seriously. If not, consequently, the next major network news source may find your district’s student confidential data on the dark web.
Did You Know?
TCEA offers an online, self-paced course to prepare you to protect your own and district data. It is geared towards individuals who may want to learn more about safeguarding sensitive data. Register now for TCEA’s Data Guardian course.