|
|
EdSurge
Report: A New Cybersecurity Incident Strikes K-12 Schools Nearly Every Three Days
By Emily Tate
Feb 7, 2019
Just a little over a month into 2019, already about a dozen
cybersecurity incidents have struck U.S. school districts. And if the
past is any indication, more are likely to come.
A U.S. school district becomes the victim of a cyberattack almost as
often as every three days, according to a report released Thursday.
Last year, public K-12 education institutions experienced 122 known
cybersecurity incidents, ranging from data breaches to phishing scams
and ransomware attacks. But that only represents the tip of the
iceberg, says Doug Levin, author of “The State of K-12 Cybersecurity:
2018 Year in Review.”
“It’s definitely an undercount,” Levin said in an interview last month.
By his estimate, as many as 10 or 20 times more undisclosed breaches
could have occurred last year in the education sector, because many
districts elect not to disclose such incidents to the public.
2018 k-12 cybersecurity incidents
Levin, who is president of EdTech Strategies, a consulting firm,
maintains a database of publicly disclosed K-12 cybersecurity incidents
dating back to 2016. Since then, he has catalogued more than 415
incidents, which include: denial of service attacks, including one at
Mt. Zion School District in Illinois that disrupted access to the
district’s computer network; phishing scams, like what happened at
Olympia School District in Washington state, where a fraudulent email
tricked an employee into sending the sensitive information of district
staff; ransomware attacks, which typically infect a computer system
with software that either blocks access or releases personally
identifiable information unless the victim pays a ransom; and
unauthorized disclosures or data breaches, often caused by human error
in the education sector, as was the case at the Pennsylvania Department
of Education.
“I think it’s going to get worse before it gets better,” he said. I’m
seeing what I would characterize as pretty significant events that are
actually happening in schools today.” These events not only disrupt
teaching and learning, Levin added, but can also cost districts up to
six-figures to redress.
Of the 122 cybersecurity incidents Levin identified last year, all but
seven affected traditional school districts and charter schools. The
exceptions include Florida Virtual School and the state education
agencies in North Dakota and Pennsylvania. Of the school districts
affected, two—Chicago Public Schools and Mt. Diablo Unified School
District in California—experienced more than one cyberattack in 2018.
In his analysis, Levin sought to understand whether certain
characteristics made a district more likely to be targeted. “It seems
to be non-discriminating,” he concluded. Suburban, rural and urban
districts, as well as small, mid-sized and large districts, were
similarly vulnerable.
The exception, he found, are districts with a higher population of
students living in poverty. These were less likely to be affected by
cyberattacks. In 2018, 70 percent of these events occurred in
low-poverty districts, defined as districts that have fewer than 20
percent of students living in poverty. Just 5 percent of incidents
occurred in districts that have more than 30 percent of students in
poverty.
“One plausible hypothesis is that wealthier school communities may be
relying on more technology than other district types and hence are
exposed to greater risks,” Levin writes in the report.
Levin also highlights a “top 10” incidents of the year in the report,
based on the number of individuals affected and the costliest cases.
Among them are the December breach that exposed the data of 500,000
students and staff at San Diego Unified, as well as an incident last
April where a Massachusetts school district paid a $10,000 bitcoin
ransom following an attack on its computer system.
Taken together, these incidents have become hard to ignore, Levin said.
“This is a wicked problem,” he said. “There’s no easy solution. It’s
not just that we need more money, different policies or more training.
The nature of these threats is going to keep changing. And if major
companies—Equifax, Apple, Cisco, Facebook—can’t keep a handle on their
stuff, what chance do little school districts have?”
Read this and other articles at EdSurge
|
|
|
|