The Atlanta Journal-Constitution
Cybercriminals make school data a target
Districts forced to deal with attacks, but breaches ‘inevitable.’
Three sets of eyes are trained on a bank of glowing screens that wraps around the room.
Data flashes. Charts fill a large panel.
The systems engineers sit in front of smaller, desktop computer monitors. They scan information as it pours in and check for problems.
The network operations center, which opened a couple of years ago in a former school turned technology hub, is the front line of the DeKalb County school district’s defense against hackers, cyber threats, and data theft.
“We get close to about 3,000 attacks a day, and so we are able to see it and constantly make adjustments,” said chief information officer Gary Brantley, who likened the onslaught to a
barrage of missiles. “The biggest focus is, we are trying to protect kids. We are trying to protect student information.”
As school districts ditch chalkboards and paper files for computers and data systems with valuable details about employees and students — from personal identification to grades, attendance records, parents’ names, and contacts — cybercriminals have targeted them.
Online scammers steal paychecks, swipe data, and even have demanded ransom after taking over district’s networks.
In recent months, three metro Atlanta school districts reported email phishing attacks. Thieves nabbed nearly $130,000 from Atlanta Public Schools and Fulton County Schools by fooling dozens of employees with fake emails that allowed hackers to gain access to their online information and reroute direct deposits.
A third district, Clayton County Public Schools, said attackers tried unsuccessfully to reroute paychecks from 28 unsuspecting workers.
In October, the U.S. Department of Education warned schools of extortion attempts in at least three states. Cyberattackers threatened to release student information and, in some cases, threatened violence unless the district paid up. Some schools have. There have been at least 283 cybersecurity incidents at K-12 public schools since 2016, according to a tally by education technology consultant Doug Levin. He thinks his count underreports the scope of the security troubles.
“These are new threats facing schools. They are harming individuals. They are disrupting school schedules and class time and they are costing schools and taxpayers a lot of money, and we are going to need an effective and sort of comprehensive response to it,” said Levin, president of Virginia-based EdTech Strategies.
Data breaches are so expected that a policy guide the National School Boards Association released this year called them “inevitable.”
In the days after the Atlanta attack, the district warned that confidential data for all its roughly 6,000 employees may have been exposed. Bill Caritj, chief accountability and information officer, now says further forensic analysis found no evidence of a widespread problem.
Fulton and APS both repaid employees after their paychecks were stolen. Fulton officials plan to ask the school board for about $250,000 to beef up protections, while APS spent $150,000 on a forensic investigation and will pay a company $32,653 a year for three years to educate and train staff and students.
Both districts also called in law enforcement.
Districts throughout the metro area said they routinely review and update security systems to try to thwart cybercrime. They pay millions of dollars to secure networks, upgrade firewalls and purchase anti-virus protections.
For example: Gwinnett County Public Schools will spend nearly $1 million over a three-year contract for software to prevent attacks that aim to disrupt legitimate access to the system. The state’s largest district also spent roughly $2.8 million this year on other security measures, including encryption tools, as it implemented a data policy plan over the past 18 months.
After the phishing attacks, both Fulton and Atlanta schools limited access to payroll systems. They also are adding authentication steps needed to log in — such as requiring users to retrieve codes sent to their cellphones.
Gwinnett also plans to add that feature, superintendent J. Alvin Wilbanks said. And instead of allowing schools to manage their own websites, the district is centralizing that work.
A big part of the security effort is focused on education. Wilbanks said he’s training himself to look closely before opening emails.
“I don’t know that I did that six months ago. I didn’t have to worry about it too much six months ago,” he said. “One person being derelict can cause some real issues.”
Local districts are laying traps for employees by sending out managed phishing emails to see if they click on a link or provide sensitive information.
In Fulton schools, the emails are made to look as real as possible by including school images and official-looking salutations. Employees who fall for the ruse are enrolled in a training session, said Derrick Johnson, director of information technology and security.
DeKalb’s watchful computer experts will shut down access to its network, including email, in a particular region if there’s a high volume of suspicious traffic coming from a certain country.
Privacy and security advocates are pushing for stricter reporting requirements for school districts and vendors.
The federal education department encourages but does not require school districts to report data breaches. States take a patchwork approach to notification mandates, though more attention has been paid to the topic recently.
In Georgia, school districts are to notify residents whose unencrypted personal information was acquired without authorization, but districts don’t have to report incidents to the state education department.
A privacy act that became law in 2016 requires notification by the Georgia Department of Education if student data that it collects is breached. The department informs specific members of its administration as well as the superintendent of the affected school district and the attorney general.
This month, the Missouri state auditor backed a bill to require schools to alert parents of data breaches. The announcement highlighted the market for children’s stolen identities, thefts that might go undetected for years because few people monitor kids’ credit reports.
“The way the laws are written, the ways that they are actually working on the ground, it’s not consistent. It’s very muddy. We really need federal guidance on this so everyone is playing by the same rules,” said Rachael Stickland, a Colorado mother and co-chairman of the Parent Coalition for Student Privacy.
FBI investigators said there’s nothing particularly unique about school districts as a target for cybercriminals. Hackers look for vulnerabilities, said Michael F.D. Anaya, a supervisory special agent on a cyber squad in the Atlanta field office.
Some in the education field fear school systems are susceptible to online threats because many don’t have the money or dedicated security experts to fight back.
In extreme cases, hackers have terrorized communities, leading to temporary school closures.
A couple of months ago, overseas hackers tried to extort up to $150,000 worth of the digital currency Bitcoin from a Montana school district. School officials indicated they would not pay, following the advice of law enforcement, according to news reports.
“We know everything about your schools and the children in them,” read the ransom note, released by the sheriff ’s office. “We know who the problem children are, who the honour performing children are, and even who many of the parents are.”
Levin, the educational technology consultant and researcher, said such breaches require high-level, outside expertise.
“When you have really sort of exceptionally skilled, nefarious hackers targeting schools there’s very little that most schools are going to be able to do to protect themselves,” he said.