School cyberattack cancels classes
Albuquerque district’s shutdown affects 75,000 students
SANTA FE, N.M. — When the superintendent of Albuquerque Public Schools announced this week that a cyberattack would lead to the cancellation of classes for about 75,000 students, he noted that the district’s technology department had been fending off attacks “for the last few weeks.”
Albuquerque is not alone, as five school districts in the state have suffered major cyberattacks in the past two years, including one district that’s still wrestling with an attack that hit just after Christmas.
But it’s the first reporting of an attack that required canceling classes, all the more disruptive as schools try to keep in-person learning going during the pandemic.
“If it seems I’ve come into your homes a lot in the past couple of years to share difficult news, you’re right. And here I am again,” Superintendent Scott Elder said in a video address Thursday. “We find ourselves facing yet another challenge.”
The closures, on Thursday and Friday, affect approximately one in five New Mexico schoolchildren in the country’s 35th-largest school district by enrollment, according to 2019 data from the National Center for Education Statistics. The district was one of the last in the state to reopen last year as vaccines became available.
The small town of Truth or Consequences discovered a cyberattack Dec. 28 and still hasn’t gained control of its computer systems.
“We’re not out of the woods yet,” said Mike Torres, the information technology director of the school system in Truth or Consequences, a small town in central New Mexico.
The attack has not been previously reported. It came when students were on vacation, allowing time to make contingency plans before they returned. Torres said that while the attack “made computer systems unavailable,” disruption has been minimal.
That wasn’t the case in Albuquerque, where teachers discovered Wednesday morning that they were locked out of the student information database that tracks attendance, records emergency contacts for students, and tracks which adults are allowed to pick up which students at the end of the school day.
In 2019, Las Cruces Public Schools also suffered an attack on their student information database, after a phishing attack lured one or more employees to click a malicious link in an email months before, recalled Matt Dawkins, that district’s information technology director.
After lurking and scoping out the district’s system, a hacker or hackers carried out a ransomware attack. Data on many school computers, starting with the student database, became encrypted. A ransom was demanded in exchange for the encryption key.
“It’s kind of like when your house gets robbed, you know? That feeling of being violated,” Dawkins said Thursday.
The school didn’t pay the ransom, and eventually found a way to reset its data systems to the state they were in the day before the attack. But it required months of hands-on work and extra expenses for temporary WiFi hotspots and some new computers. Insurance covered much of the cost.
In the past two years, at least four other New Mexico schools have been hit by costly cyberattacks, said Patrick Sandoval, interim director of the New Mexico Public School Insurance Authority, which insures all districts in New Mexico except for Albuquerque.
Targets across the U.S. in 2021 included universities, hospitals and a major fuel pipeline. Data on the number of attacks and their cost are difficult to track, but the FBI’s 2020 annual report on cyberattacks said about $4.1 billion in damages was reported by institutions across the country last year.