The US Department of Education issued a warning following recent incidents where schools with weaker cyber security and vulnerabilities were held to ransom over stolen sensitive student information.
The warning said that some cases have “included threats of violence, shaming, or bullying the children unless payment is received.” At least three states have been targeted and the FBI is investigating.
One of the affected schools in Columbia Falls, Montana, reported that hackers “broke into multiple school servers and stole personal information on students and possibly staff.” It was also discovered that the school’s security cameras had been hacked, so all movements could have been watched. A number of threatening ransom messages followed. The ransom note sent to a number of schools and released by the county sheriff’s department is said to be from the Dark Overlord group and “demanded up to $150,000 in bitcoin to destroy the stolen private data.” What’s even more worrying is that the letter mentioned use of force, and referenced Sandy Hook – the school where a gunman killed 20 children and 6 staff in 2012.
Law enforcement officials “did not believe the threats and determined the attackers were located outside of the U.S.” The ransom was not paid, so the leaked data could still appear online, which has the potential to cause problems for the students in the future.
Johnson Community School District in Iowa was also attacked by the same group, which resulted in all classes being cancelled. It was also reported locally that threats were sent to parents and children.
What action needs to happen?
With schools operating on tight budgets, cybersecurity is not at the top of the list and is “often an after-thought.” For this very reason, schools are considered easy targets and are vulnerable to incidents just like this.
The Department of Education is encouraging schools to review their cybersecurity and, where necessary, conduct audits to identify vulnerabilities, patch weak systems, routinely review for suspicious activity, raise staff awareness on information security and phishing scams, and ensure data has the appropriate access rights.
Training multiple staff members can be expensive, but staff awareness training is more affordable and is quicker and easier to implement. IT Governance offers comprehensive and easy-to-follow eLearning courses about information security, phishing, and compliance requirements to make staff aware of security risks and the best practices to follow.