Cyberattacks against K-12 schools rose 18% in 2020, report finds

The number of publicly disclosed cybersecurity incidents affecting K-12 school systems rose by 18% in 2020 over the previous year, according to a report published Wednesday by the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, or K12 Six, a new nonprofit group.

In total, the two organizations counted 408 incidents, including denial-of-service attacks, ransomware, data breaches and phishing attacks last year, the most since the K-12 Cybersecurity Resource Center started tracking such events in 2016. The incidents affected 377 organizations spread across 40 states, with 51% of all attacks affecting rural districts, which are often poorly equipped to respond to an IT emergency.

And while the first three months of 2020 were largely a continuation of the trends of 2019 — a year in which ransomware against the education sector surged — the onset of the COVID-19 pandemic create new threats for schools, all while officials’ were scrambling to outfit teachers and students for virtual learning environments.

“This shift also introduced a new class of school cyber threats that plagued districts almost to the complete exclusion of other incident types during that period: class invasion,” the report reads, referring to the phenomenon also known as “Zoombombing,” in which online classes were interrupted by unauthorized guests sharing vulgar images, hate speech or threats of violence.

The report shows these interruptions include two variants: interruptions of parent-teacher meetings and virtual school events, and “email invasions” in which entire school districts were subjected to disturbing emails.

But of the 408 attacks the the K-12 Cybersecurity Resource Center counted last year, denial-of-service incidents — such as one last September that led to the arrest of a Miami high-school student — accounted for the biggest share, with 45%. And while the 12% of incidents attributed to ransomware was a drop from 2019, in which there were more overall attacks using the extortion malware, attacks in 2020 were more severe and costly to school districts than in years past.

Ransomware evolution

The K-12 Cybersecurity Resource Center and K12 Six identified three ways ransomware became more nefarious. First was that more malicious actors are threatening to (or actually) dumping students’ and teachers’ personal information on the internet, which happened in Toledo, Ohio, and Fairfax County, Virginia. Ransom demands also spiked, in some cases above $1 million. And in the worst incidents, ransomware attacks caused school systems to cancel both online and in-person classes in the middle of the still-raging pandemic. Schools in Baltimore County, Maryland and Hartford, Connecticut, both lost several days of classes after attacks there.

Rep. Jim Langevin, D-R.I. (Paul J. Richards /AFP / Getty Images)

“Cybercriminals have no reluctance to attack our schools and our hospitals and our businesses,” Rep. Jim Langevin, D-R.I., a senior member of the House Homeland Security Committee and a co-chair of the Cybersecurity Solarium Commission, said during an online event before the report’s release. “We’re getting our house in order to develop a national strategy.”

Late last year, the Cybersecurity and Infrastructure Security Agency warned that cyberattacks in general — and ransomware specifically — against schools were becoming more aggressive. In January, the agency announced an anti-ransomware public awareness campaign targeted at local governments, the health care sector and K-12 schools.

Langevin also said he plans to reintroduce legislation he sponsored last year with Rep. Doris Matsui, D-Calif.,  that would create grants to help school districts to strengthen their cybersecurity workforces and assets, and create an online clearinghouse for sharing information pertaining to the K-12 sector.

Vendor hacks

While Langevin and other members of Congress have tried passing meaningful legislation aimed at helping entities like K-12 schools defend against ransomware, the K-12 Cybersecurity Resource Center and K12 Six report also warns of another increasing threat: hacks of education IT vendors, whose roles became even greater as the pandemic turned school into a mostly digital experience.

At least three-fourths of all data breaches at schools last year involved compromises of vendors, including Blackbaud, which suffered a major breach that also affected some of its higher-education customers. The groups behind the report suggest that K-12 cybersecurity would be improved with greater oversight of the educational technology industry.

“Indeed, the fact that data breaches and other security incidents continue to plague school district vendors and their partners should raise significant questions about the sufficiency and effectiveness of both industry self-regulatory efforts and existing data privacy and security regulations,” the report reads.