In the 30+ years since Ferris Bueller memorably hacked into his high school’s attendance system and reduced his absences from nine times to two, cyber threats faced by school districts have increased by orders of magnitude. While every business and non-profit organization is confronted with risks such as ransomware, phishing, and denial of service attacks, school districts must exercise even greater caution, often with fewer resources, then other entities.
One expert compiled a list of 122 publicly reported cyberattacks on schools in 2018. Last year, that number increased almost threefold to 348. The majority of these incidents involved unauthorized disclosure of student data and a significant number of involved ransomware or other malware. Alarmingly, over half of the breach incidents were due to actions or inactions of people or entities known to the school district.
Phishing and Spear-Phishing
Phishing and spear-phishing, in which a cybercriminal impersonates someone known to the recipient of an email in order to obtain information – or even payment – are not threats unique to school districts; however, unlike attacking businesses, where cybercriminals first have to commit a cybercrime in order to learn the identities of their target’s business contacts, the identities of most vendors and contractors servicing school districts are publicly known. Therefore, the first step in a phishing or spear-phishing attack is often done without the cybercriminal having had to commit a crime.
Phishing and spear-phishing can be very costly. Last year, a district in Kentucky thought it was paying a vendor $3.7 million. In reality, a cybercriminal sent the district a fraudulent email and documentation, resulting in the district paying the criminal, not the vendor. Thankfully, the district acted quickly and, with the assistance of state and federal law enforcement officials, was able to recover all $3.7 million. Not all districts are as lucky; two different districts in Texas were recently defrauded out of $2.3 million and almost $2 million by various phishing scams.
Phishing can also lead to cybercriminals accessing data, such as students’ personally identifiable information (“PII”), as happened in San Diego, California, when the Social Security numbers and addresses of over 500,000 students were wrongfully obtained.
Ransomware Attacks
Less frequent incidents involve ransomware, in which educators are unable to access data until a ransom is paid, and denial of service attacks, in which cybercriminals cut off educators’ access to one or more of their networks.
The common thread among all of these cyberattacks is the manner in which cybercriminals access school districts’ data. With increasing frequency, cybercriminals are using actions or inactions of district users to gain access to the district’s data. Going back to Ferris Bueller accessing his attendance records, it’s not too hard to image Ferris tricking either Dean Rooney or his assistant Grace into granting him access to that information – without knowing that’s what they were doing. The modern equivalent would be replying to an email, or even clicking on a hyperlink in a message, that looks somewhat suspicious. Believe it or not, that’s all it takes for a cybercriminal to have sufficient access to a school district’s entire network.
While governmental immunity tends to inoculate school districts from many civil lawsuits, it is not absolute. therefore, to protect the district’s resources from both cybercriminals and litigation arising from cybercriminals accessing students’ PII, districts are strongly encouraged to work with outside advisors (legal and information technology) to formulate and implement data security policies and incident response plans – and to make sure that all users follow these policies. In addition, education and training, such as on what links to follow, what makes a strong password, and what Wi-Fi network to not use, can significantly reduce the likelihood that your district will be the next victim of a cybercrime.
Hal Ostrow, a shareholder at Rhoades McKee, is a transactional attorney who regularly advises clients on matters involving cybersecurity, data aggregation, and information technology. He represents organizations of all sizes in negotiating and drafting agreements such as data ownership and licensing contracts, terms of use, privacy policies, cybersecurity prevention policies, and incident response plans. He also guides organizations on their evolving obligations to safeguard their users’ data and during responses to cyberattacks. Mr. Ostrow served on the State Bar of Michigan’s “Building a 21st Century Practice” Task Force, a comprehensive study of the intersection of law and technology, and advises his colleagues as a leader of Rhoades McKee’s Technology Committee. He received his BA from Wittenberg University in 1996 and his JD from the University of Pittsburgh School of Law in 1999.
This article was originally featured in The Source.
