At least 45 school districts and 44 colleges and were hit by ransomware attacks in 2022, according to a year-end report from internet security firm Emsisoft.
The annual number of attacks has held steady over the last four years despite aggressive prevention efforts by the cybersecurity industry and the government.
The attackers are reaching more schools by going after larger districts. Last year, targeted school districts operated 1,981 individual schools, nearly double the number of schools targeted the year before.
Cybersecurity experts believe the actual number of incidents is much higher than reported.
Ransomware attacks involve hijacking sensitive data from an organization, then demanding money to either return the data or prevent it being published on the dark web.
In 2021, ransomware groups successfully acquired data from roughly half of the schools they targeted, the report says. In 2022, they increased that rate to two-thirds.
The highest profile attack involved the Los Angeles Unified School District (LAUSD), the nation’s second largest, over Labor Day weekend. Hackers gained access to district-wide emails, student management records, bus system servers, and district’s purchasing, vendor bidding and construction project management systems
The attack was conducted by Vice Society, a notorious ransomware group which had already hit eight other school districts in 2022. Approximately four weeks after the breach, the group threatened to publish the data if a ransom was not paid.
Following the advice of the FBI and federal cyber security officials, the district ignored the threat and watched idly as 250,000 files were posted on the dark web. The files contained Social Security numbers, contracts, W-9 tax forms, invoices, disciplinary records, and passport information on both students and staff, contradicting the district’s previous attempt to downplay the severity of the attack.
The highly personal nature of student and staff disciplinary records also subjected victims to potential further exploitation, since damaging information was no longer private.
“Once it goes on the darknet, hackers in all corners can ultimately access,” said Ekram Ahmed of Check Point, a data breach research firm.
The district has offered free credit monitoring for affected students and staff, a move that is common following such an incident, but ineffective at preventing misuse of the exposed data.
The Los Angeles breach offers many lessons for safeguarding essential computer systems from unauthorized access, but many of the necessary measures are beyond the competency of small-district IT personnel, or simply too expensive for cash-strapped districts to undertake.
Until such safeguards can be implemented, limiting the amount of sensitive information schools are permitted to retain is likely the best alternative, experts say.