Officials tell schools not to pay ransomware demands. Parents disagree, survey finds
Research published this week by the cybersecurity company Kaspersky found that a majority of parents of K-12 students would support their children’s school districts paying off ransomware actors in the event of an attack, despite the fact that government officials routinely tell victims not to pay and industry experts warn that payment is no guarantee of recovering corrupted or stolen data.
According to the survey of 1,014 parents of school-aged youths, 72% said they’d support paying hackers’ demands if it meant keeping their kids’ personal data, academic histories and medical records from being leaked. And 67% of parents said they were either somewhat or very concerned that their children’s schools will be hit by a cyberattack.
Brian Bartholomew, a principal researcher at Kaspersky, said he was “left scratching my head” by those responses, but also told EdScoop he understands parents’ fears as ransomware becomes a more-common topic in the news, especially as schools nationwide aim to resume more normal operations after a year-and-a-half of pandemic-induced restrictions.
“Parents want to have their children have some normalcy with their education, and the last thing they want is to have their kids schools shut down,” he said. “They weren’t really concerned with the money issue as much as their kids’ data. You’ve got anything from Social Security numbers to health records.”
School districts across the country lost days of virtual and in-person learning over the past two years as the number of ransomware events affecting the education sector have grown. And others, like Fairfax County, Virginia, Public Schools, have seen student and staff information stolen and published after refusing to pay. Schools in Clark County, Nevada, which includes Las Vegas, suffered a similar fate last fall.
“Actors are not after extravagant victims,” Bartholomew said. “They’re after low-hanging fruit. The majority of [school districts] are under-resourced.”
And despite guidance from the FBI and other federal agencies that ransomware victims should never pay, schools — like organizations in other sectors — often do so anyway to avoid a leak of data that might have legal consequences later on.
Earlier this month, the Judson Independent School District in Bexar County, Texas, acknowledged paying unnamed ransomware actors $547,000 to regain access to locked-up systems and stop the leak of students’ and teachers’ personal information. Officials there said they had “no other choice.”
“When you have a large organization, if they have a bunch of clients, their board is making this decision along with the insurance company,” Bartholomew said. “Do we tell the clients and risk the wrath of the clients?”
Schools, he continued, “are the custodians of our children” tasked with handling their data responsibly. “If they fail, whether it’s their fault or not, it is their responsibility to let their customers know,” he said.
Bartholomew said that schools have access to more cybersecurity resources than before, particularly from entities like the Multi-State Information Sharing and Analysis Center operated by the Center for Internet Security, which last week said it expects an 86% jump in the number of cyber incidents affecting K-12 schools.
Despite parents’ grim assessment of schools’ readiness, the Kaspersky survey found that schools are doing a better job in at least communicating about cyber hygiene steps that could help prevent attacks, with 80% saying schools give them information about cyber preparedness. But when it comes to alerting communities about a ransomware events, the survey found schools to be less forthcoming: Just 34% of parents whose schools experienced an attack were informed directly, while 57% heard about incidents from secondary sources, like their local news.