A recent trend in cybercrime indicates that online attackers are increasingly targeting a demographic they know people will rush to protect: K-12 students.
This year alone, more than three dozen schools have reported large-scale breaches of student data from cybercriminals looking to extort money from both schools and parents. The attackers threaten public exposure of students’ addresses and Social Security numbers — and even threaten physical violence in some scenarios.
The breaches caused the U.S. Department of Education to issue an alert earlier this month about a “new type of cyber extortion/threat.”
According to recent coverage from the Wall Street Journal, the attackers usually depend on users to open infected emails and links. The associated malware serves as a channel for access to databases containing student names, addresses, Social Security numbers, birth dates, academic performance, phone numbers and medical and disciplinary records. The data is then held hostage.
Some K-12 schools have ignored FBI advice and chosen to pay hefty ransoms for regaining access to their systems. Dorchester School District Two in South Carolina paid $2,900 to cybercriminals in July of this year, the Journal reported, and Horry County Schools in South Carolina paid nearly $10,000 last year.
Cybersecurity experts highly discourage paying ransoms and assert the payments only encourage attacks while funding future criminal activity.
Some K-12 systems, however, claim that ransoms are more appealing than facing the threats that hackers pose on schools and students. A representative from Horry County said the $10,000 ransom was worth it just to regain access to important files and to have systems up and running again.
In September, Columbia Falls School District Six in Montana received an unsettling seven-page letter from cybercriminals, providing samples of the sensitive student data — including records from social workers — that they would use to cause “an immense and unfathomable amount of financial and reputational harm” to the schools in addition to the endangerment and public embarrassment they would create for students.
“We know who you are, Columbia Falls. We know everything about your operation. We know everything about your schools and the children in them,” the letter read. “Your nursery children, your primary children, and your secondary children. We know who the problem children are, who the [honor] performing children are, and even who many of the parents are. We have educated ourselves and made ourselves aware of your entire lives.”
The letter detailed three “business opportunities,” presenting the school district with ransom options ranging from $75,000 to $150,000, with varying calls for self-debasing acts — such as the delivery of a five-page essay from a school authority figure, explaining his “experience and emotions” throughout the process and apologizing for “rudely” ignoring the cybercriminals’ initial correspondence.
Johnston Community School District in Iowa faced even more sinister threats, including sending text messages directly to parents that explicitly threatened the lives of their children. The hackers eventually released the student data from Johnston Community Schools onto a public website, later tweeting, “With the student directory from JCSD we released, any child predator can now easily acquire new targets and even plan based on grade level.”
Further financial harm incurred by schools has also come in the form of stolen paychecks from faculty and staff. School districts in Atlanta, Boston and Georgia had paychecks stolen this year after cyber-intruders rerouted employee direct-deposits into unauthorized accounts, according to the Journal.
As malicious threats against K-12 students grow in severity and prevalence, security experts advise schools to ramp up their cyber-infrastructure by keeping antivirus software up to date, backing up files regularly and providing relevant training for employees and students.