K-12 schools in at least three states have been targeted for extortion by hackers, and institutions of higher education may be subject to the same cyberthreat, a cybersecurity official at the U.S. Department of Education warned this week.
Recent cases emphasize how critical it is for schools and colleges to anticipate a cyberattack and for IT staff to take the necessary measures to protect their institutions, the official said Monday.
Hackers seeking to extort money from school districts have begun threatening to release — and, in some cases, have actually released — sensitive student data, including names, home addresses, phone numbers and medical records.
Cyberattacks of this nature have sparked fear and prompted school closings in some cases.
The Columbia Falls School District in Montana was closed for three days in September after parents received “extremely graphic threats via text messages.” The hackers in that instance had infiltrated the district’s servers and obtained personal records from former and current students, parents and staff.
Similar cases in Iowa and Nebraska earlier this month also led to school closings.
Citing those examples, Tiina Rodrigue, a senior adviser for cybersecurity at the Education Department’s Federal Student Aid office, warned K-12 and higher education institutions about this new approach, which has been associated with “threats of violence, shaming or bullying the children unless payment is received.”
The FBI is actively investigating all reported attacks, the memo said. In the meantime, the department urged schools’ IT managers to bolster their cybersecurity tactics and update or patch vulnerable systems.
“The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data,” Rodrigue wrote. The attacks tend to target district computers or applications. Some come in the form of malicious email attachments or phishing scams.
School- and district-level IT staff can protect their organizations by conducting security audits, reviewing audit logs for suspicious activity, training staff and students to detect and avoid social engineering and phishing attacks, and ensuring that access to sensitive data is limited, Rodrigue said.