Schools fear ransomware
Evicted from eviction protest in Manhattan Suspect extortion attack on computer tracking grades
As the outage of the online grading and attendance system used by many New York City public schools drags into its seventh day, experts say they are worried the program was the target of a ransomware attack.
Skedula, the website many city teachers use to enter grades, daily attendance and store student and parent contact information, and PupilPath, its student-and-parent-facing counterpart, have been down since last Saturday with the exception of a brief restoration of the mobile app Thursday night.
The California company that owns the platforms reported an “attempted security incident” led to the shutdown.
Experts who study cybersecurity and schools say the duration of the outage and the vague communication from the company could suggest a ransomware attack, where hackers infiltrate a computer system and demand payment to restore it or refrain from releasing sensitive data.
“Based on my experience tracking K12 cyber incidents since 2016, it seems a reasonable assumption that a security-related disruption of this length could be ransomware,” said Doug Levin, the national director of K12 Security Information Exchange, a group that tracks cyberattacks targeting schools and education platforms.
Kurtis Minder, the CEO of the cybersecurity firm Groupsense, said public speculation that ransomware is behind the outage is “not completely uninformed.”
Illuminate Education, the company that owns Skedula and PupilPath, has given little public information about the situation. A status update page has given the same message for the past four days, promising the the company is working “diligently to restore service to affected applications.”
A message on the Skedula home page says the company is working with “third-party forensic specialists to investigate the incident and confirm the effect to our systems.”
A company spokeswoman did not respond to questions Friday.
Levin says vague communication from companies or organizations dealing with cyber or ransomware attacks is commonplace.
“In many cases, especially if lawyers, law enforcement, and insurance companies are involved, organizations will err on the side of disclosing as little as possible about what is actually happening,” Levin said. “In some cases, they may be gathering forensic evidence to charge someone with a crime; in other cases, they may be negotiating with the ransomware actors to pay an extortion demand.”
“Some companies fear litigation and bad press so will say as absolutely little as they are allowed by law,” he added.
The ongoing outage raises several troubling questions for city schools and families.
First, many educators and families say it has severely hampered their ability to carry out basic classroom functions. Many teachers rely on the program to contact families, and vice versa, and the class-byclass attendance entry helps schools with COVID-19 contact tracing by providing a record of which kids shared a class with an infected classmate.
Department of Education officials noted final attendance and grades are entered in separate systems that were not affected.
Some anxious teachers are also worried that grades they entered in Skedula and didn’t back up elsewhere are gone for good.
The company has been in touch with some schools about “extracting” and sending data even while the website remains down, educators said. One city principal claims their school received a “data capture” with information including grades, but that it wasn’t presented in a user-friendly format.
Teachers reported that the Skedula mobile app was back up and running briefly
Thursday night — and appeared to still have all the data it did when the system shut down last Saturday — but went offline again Friday morning.
Levin said it’s a “good sign” the company was able to recover at least some of the data, but the fact the app went down again is “not a great sign.”
There is also the question of whether any “personal identifiable information” like student and parent addresses and phone numbers, which are stored in Skedula, were compromised. Company officials told The News on Tuesday there “is no confirmed evidence sensitive data was taken.”
DOE spokeswoman Sarah Casasnovas added, “So far there is no confirmation any of our schools’ information was accessed or taken.”
City public schools contract with Illuminate Education on an individual basis, but the company is an approved vendor of the city Education Department, which means it signed a privacy agreement with the agency and underwent a “a rigorous review process by” the DOE’s IT Department, agency officials said.
Schools have forked over nearly $17 million to the company since February 2019, payment records compiled by the city comptroller detail, and about $6 million last fiscal year, according to the DOE.