Cyber crimes are growing and underreported in N.H.
CONCORD, N.H. — In April, it happened to the Nashua School District. In June, an attack hit the Lebanon public schools.
The FBI said that cybersecurity attacks are on the rise and schools are particularly vulnerable. In 2022, there were over 1,400 reports totaling losses of $29.3 million in New Hampshire, almost twice the amount lost in 2021. The actual losses are likely much higher, as experts say many victims — including school districts — are reluctant to report it.
“If someone broke into a classroom and stole all their computers and switches and other technology, law enforcement would be notified and that would be on the front page,” said Richard Rossi, New Hampshire’s cybersecurity adviseer. “But when we have a cyberattack of the same magnitude, that’s often swept under the rug.”
Cybersecurity experts said fear of getting fired or facing scrutiny could prevent school district employees from speaking out.
“The actual number of cybersecurity attacks is likely significantly higher than what’s publicly reported because schools and other victims of cyber attacks fear the consequences of reporting cybersecurity incidents,” said US Senator Maggie Hassan during a Senate Homeland Security subcommittee meeting.
Rossi and other cybersecurity experts are urging school districts to take proactive steps to prevent a breach and to report cybersecurity crimes when they do happen. Efforts also are underway to spend new state and federal funding on cybersecurity.
The impact of an attack on a school can be disruptive and traumatizing for students whose sensitive data can be exposed, and costly for the school district. Students can lose anywhere from three days to three weeks in learning time, according to a 2022 report from the Government Accountability Office.
It often costs school districts more than $1 million to bring in outside cybersecurity experts, restore computers and networks, and secure their system after a breach, according to Pamela McLeod, who founded the New Hampshire Chief Technology Officers Council and the New Hampshire Student Privacy Alliance.
McLeod was working for the Concord School District when it was breached in 2016. The data privacy of all staff members was compromised after attackers obtained W-2 forms.
In Nashua, officials said the district was hit by a sophisticated attack in late April, but school officials weren’t immediately sure whether sensitive information had been compromised. In a June 18 email obtained by the Globe, Superintendent Mario Andrade told families and staff that an investigation into the attack remained ongoing, and that the district was working to restore impacted systems and ensure security moving forward.
He said if the investigation found sensitive information had been impacted, affected individuals would be notified directly. Andrade did not respond to a request for comment on this story.
In Lebanon, the school district was hit by a ransomware attack that included a demand letter in June, the Valley News reported, although school officials said they did not find evidence that personal information had been acquired or misused. Superintendent Amy Allen did not return a request for comment on this story.
Timothy Benitez, the US Secret Service agent in charge of the Manchester office, said it’s common for attacks to come in waves like this. In some cases, reporting can lead to positive outcomes, like recovering stolen funds.
In 2021, $2.3 million in school funds was stolen from the town of Peterborough. Benitez said his team was able to recuperate around $600,000 — an outcome that was only possible because the town reported the incident. He said many of these crimes are committed by transnational criminal organizations and are only possible to resolve if there’s cooperation among law enforcement in other countries.
This year, the state has received $2.5 million in federal funds for the State and Local Cybersecurity Grant Program that Hassan created as a part of the Bipartisan Infrastructure Law, with the possibility of receiving around $10 million more in the next four years.
Including the state’s match, that could mean $16.6 million for cybersecurity initiatives in New Hampshire.
Around 80 percent of that money will go to local governments, including school districts, according to the state’s cybersecurity plan.
Denis Goulet, commissioner of the N.H. Department of Information Technology, said three programs are already underway.
First, the state is spending $1 million distributing hardware tokens, which are physical keys school districts can use for multifactor authentication, a security measure that makes it harder for a computer to get hacked.
Secondly, the state is spending $1 million to move school and municipal websites to the .gov domain, which includes additional security features.
The state has allocated $100,000 for a security training course that local government IT employees can attend for free.