Tawnell D. Hobbs
Hackers looking to exploit sensitive information for profit are increasingly targeting the nation’s schools, where they are finding a relatively weak system to protect a valuable asset: student data.
Cyberthieves have struck more than three dozen school systems from Georgia to California so far this year, stealing paychecks and data or taking over networks to extort money. The thefts have prompted many school officials to hire cybersecurity consultants to fight back against a trend that experts say is growing fast.
The attackers have gained access to servers containing student names, addresses, social security numbers, birth dates, academic performance, phone numbers and medical and discipline records—in some cases releasing data in an escalating series of demands and actions.
A few districts, betting that surrender would be cheaper and easier than defeating a hack, have gone against FBI advice and paid off the hackers.
“They know that cyber craziness is not our game, and they are winning,” said Laura Sprague, a spokeswoman in the Johnston Community School District in Iowa, where hackers this month publicly released student information. “These groups are targeting some of the most vulnerable people in the nation—kids.”
Cyber experts say as schools rush to ramp up the use of technology in the classroom, they haven’t done enough to protect an easily monetized trove of data on students.
“Bad guys can use that information to create fake identities and things like that, and that information can be sold on the black market for a lot of money,” said Zuly Gonzalez, a former cybersecurity expert with the National Security Agency and CEO of Light Point Security in Maryland.
In 2016, the FBI’s Internet Crime Complaint Center received 2,673 complaints from various entities including schools for ransomware, which locks up networks, with victim losses of $2.43 million—up from $1.62 million in 2015. For extortion cases, where thieves target sensitive information for payment, losses increased by 7% to $15.8 million last year. The numbers for both categories are likely much higher; the FBI notes that only about 15% of the nation’s fraud victims report the crimes to law enforcement.
Hackers gain access in various ways, including from users opening infected emails, links or programs. Affected schools have lost tens of thousands of dollars either by fighting back against attacks, reimbursing stolen paychecks, providing credit-monitoring services for victims, or paying off the hackers.
Los Angeles Valley College in California paid $28,000 in ransom to hackers in January. Dorchester School District Two in South Carolina paid $2,900 in July. In 2016, Horry County Schools in South Carolina paid nearly $10,000.
School districts in Atlanta, Boston and Georgia’s Fulton County each had payroll checks stolen this year after hackers rerouted employee direct-deposits into unauthorized accounts.
The FBI warns against paying ransom, saying it is a risky strategy that could encourage future attacks and possibly fund other illicit activity by the hackers, who are mostly outside the U.S.
“We don’t condone the payment of ransom. However, we understand that certain business decisions have to be made,” said Lauren Hagee, a spokeswoman with the FBI’s Dallas division.
School officials who paid up say they had little choice.
“If we decided not to pay, it would virtually guarantee our data would be lost,” said Los Angeles Valley College spokeswoman Jennifer Fong Borucki. After paying, “we’re back up and running,” she said.
Charles Hucks, Horry County’s executive director of technology, said its nearly $10,000 payment to hackers pales in comparison to each day it didn’t have access to files and content created by 43,000 students and 4,000-plus faculty and staff. “Virtually all aspects of operation were impacted other than those hosted outside of the district,” he said.
The ransoms were paid in bitcoin, a digital currency preferred by hackers because it is hard to trace.
Columbia Falls School District Six in Montana received a seven-page threatening letter from hackers last month.
“We know everything about your schools and the children in them,” it read, adding that if officials didn’t pay up, “we will escalate our use of force in a tiered process that will involve an ever increasing level of damage and harm for you.”
Hackers gave Columbia Falls officials three payment options, ranging from $75,000 to $150,000, and federal officials are investigating, officials said.
“Our school districts are not set up to have the capabilities to keep people like this out,” said Columbia Falls Police Chief Clint Peters.
In Iowa’s Johnston Community School District, hackers released student names, addresses and parents’ phone numbers on a public website earlier this month after sending threatening text messages to parents, some of which included threats to kill their children. School was canceled the following day as a precaution.
On Oct. 5, a Twitter page using the name of a well-known hacker took credit for Johnston County’s hack in a tweet that read: “With the student directory from JCSD we released, any child predator can now easily acquire new targets and even plan based on grade level.”
The district won’t say if the hackers made monetary demands due to an active investigation by local police and the FBI.
In the Splendora Independent School District in Texas, where hackers are threatening to release student information, physical security has been beefed up but parents are on edge.
“My kid has to go there. I’m just trying not to think about it too much, if I do, I’ll just start to worry,” said parent Tiffany Autrey.
School districts are responding to the increase in hacks by bringing in security experts, investing in cyber insurance and getting employees trained in computer security.
Dorchester schools beefed up its security after being hacked. The district paid a $5,000 deductible in an insurance claim, which covered the $2,900 ransom and just over $150,000 for legal fees, consulting costs and personnel costs to rebuild some databases destroyed in the hack.
Some school districts have spent thousands to reimburse employees whose direct deposits were rerouted by hackers, including Atlanta Public Schools where 27 employees had a combined $56,000 stolen in such a scheme last month.
At Fulton County Schools in Georgia in August, thieves tricked 46 employees into providing login credentials via phony emails and then used that information to reroute direct deposits onto reloadable money cards. About $75,000 was lost, with the district recouping about $3,400 by reversing some transactions. The district reimbursed its employees.
Cyber experts say schools need to be proactive in the rush to go digital, such as having antivirus software up-to-date, backup files, and providing computer security training.
“We’re rushing to connect everything while we know that even for the most sophisticated technology companies in the world that they’re vulnerable, and schools don’t have a chance in that context,” said Douglas A. Levin, president of EdTech Strategies LLC, a Virginia-based research and consulting company focused on education and technology. “It’s really a nightmare.”
Write to Tawnell D. Hobbs at Tawnell.Hobbs@wsj.com