Article originally published in the New York Times
Schools handle a lot of personal data and may not have strong technology teams, leaving them vulnerable to attacks, experts say.
Some hackers demand ransom; others sweep up personal data for sale to identity thieves. But whatever hackers’ motives, school systems around the country have been the targets of their cyberattacks.
One attack forced the Houston County School District in Dothan, Ala., to delay the first day of school for 6,400 students. Others crippled computer systems at the Syracuse City School District in upstate New York and at three school districts in Louisiana.
Many public institutions, including hospitals, local governments and colleges, have been hit with ransomware attacks in recent years, but school districts have proved particularly enticing to hackers because they hold troves of private data and often lack the resources to fend off intruders.
Nearly two-thirds of school districts in the United States serve fewer than 2,500 students, and many do not have a staff member dedicated solely to cybersecurity, according to Keith R. Krueger, the chief executive of the Consortium for School Networking, a group that represents technology employees at primary and secondary schools.
Cybersecurity “is a tremendously growing concern for school districts,” Mr. Krueger said, adding that members of his organization now rank it in annual surveys as their top source of anxiety.
In Louisiana, Gov. John Bel Edwards declared a state of emergency after a virus disabled computers at three school districts, including one in which the virus also knocked out the district office’s phone system.
The three Louisiana attacks — on the schools in Sabine and Morehouse parishes and the city of Monroe — had similar traits, according to Christina Stephens, a spokeswoman for the governor. She declined to discuss the attacks in detail because state and F.B.I. investigations of the incidents are still in progress.
Ms. Stephens said state authorities are working with the districts to eradicate the virus before students return to school in early August.
“We’re operating as we would in any national disaster,” she said, noting that the state-of-emergency declaration was the first the state had issued for a cyberattack. “We’re using the same kind of hierarchy that we use during hurricanes.”
Ms. Stephens said local and state governments around the United States are realizing that “this is the next area of concern for government infrastructure.”
The Internal Revenue Service warned in 2017 that a scheme to target confidential tax data had “evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.”
It may be a while before schools’ defenses are able to catch up with the abilities of the hackers who target them, said Eva Vincze, a faculty member in the cybersecurity and police and security studies programs at George Washington University.
“Most school systems, especially in small communities, do not have the resources to keep up with each generation of threats that bad actors come up with,” Dr. Vincze said. She added that schools may put themselves at risk by having “the same mentality that is pervasive in the business sector: ‘It won’t happen to us.’”
“In reality, it can and does happen to everyone,” she said.
According to Mr. Krueger, cyberattacks on school districts and other organizations begin when an employee — perhaps someone in the financial office, where a lot of sensitive information is stored — opens an email that appears to have come from a supervisor or even the district superintendent, but in fact carries malware that compromises the employee’s computer and the district’s network.
School officials in Dothan, Ala., said the F.B.I. is investigating the malware attack on its computers, but declined to discuss the hackers’ possible motives.
In Syracuse, the motivation appeared to be money.
The Syracuse school district said on Friday that its insurance policy would cover the cost of regaining access to its computer systems, subject to a $50,000 deductible that the district expects to pay, according to The Post-Standard newspaper. The district has been locked out of its computer and email systems since July 8.
District officials did not specify the total cost of regaining access, identify the insurer or confirm that any of the money was for ransom, the newspaper reported. The school board president did not respond to a request for comment on Saturday.
The city council in Riviera Beach, Fla., agreed to authorize a nearly $600,000 ransom payment after hackers paralyzed the city’s computer systems.
The city council in Riviera Beach, Fla., agreed to authorize a nearly $600,000 ransom payment after hackers paralyzed the city’s computer systems.CreditWilfredo Lee/Associated Press
Other cities, like Riviera Beach, Fla., have freed themselves from hackers by having their insurance companies pay most of the ransom the hackers demanded, often using cryptocurrency like Bitcoin, which obscures the recipients’ identity.
School officials in Houston County, Ala., which borders Florida and Georgia, have been similarly reticent to disclose specifics, declining to tell reporters whether attackers there had demanded ransom. The superintendent, David Sewell, did not respond to inquiries on Saturday.
Mr. Sewell previously told The Dothan Eagle that even when the schools finally open, four days later than planned, teachers may not be able to use their computers.
“More than likely, teachers will have to take roll the old-fashioned way — with pen and paper,” Mr. Sewell said.