When the COVID-19 pandemic took hold, only technology enabled schools to stay open and continue instruction from a distance. But with the benefit of that connection comes the risk of sensitive information getting into the wrong hands. 

According to the FBI, schools are now the most popular target for cyberattacks. The K12 Security Information Exchange (K12 SIX) tracks these incidents as reported in school districts throughout the country, and the organization has reported 1,331 cyber incidents between 2016 and March 2022.  

Even as schools have shifted back to in-person instruction, the problem is as pervasive as ever. According to K12 SIX’s latest annual report, 2021 marked the third straight year in which over 50 ransomware attacks had been reported—and the first year ever in which they were the most frequently reported incident type. Because the data relies on reported incidents, the true numbers aren’t known. In Texas, school districts are required to report cyber incidents to TEA. Several incidents have also been publicized in the news, including a ransomware attack in San Antonio’s Judson ISD and another in Allen ISD in the Dallas-Fort Worth Metroplex. 

What is ransomware? 

Malicious software, or malware, is designed specifically to disrupt, damage, or gain unauthorized access to a computer system. In ransomware attacks, an attacker demands a sum of money before releasing the compromised data—and the return of that information, or the promise that the data won’t be disseminated, is not guaranteed. 

Virtually no industry remains untouched by cyberattacks. Everyone from the biggest tech companies to the smallest school districts in Texas have been affected. In a world connected by technology, perpetrators are notoriously difficult to track down, especially considering that attackers can shield themselves from consequence by conducting these attacks from overseas. 

Several school districts in Texas have fallen victim to ransomware attacks and have, in some cases, paid out the ransom to recover their resources. In the summer of 2021, Judson ISD paid over $500,000 to protect personally identifiable information (PII) from being published on the dark web, a collection of hidden websites often associated with illicit activity. 

The FBI does not recommend paying a ransom in the event of such an attack. Not only does payment not guarantee that a district will recover its data, but also it emboldens ransomware gangs to continue preying on other victims. 

Nacogdoches ISD suffered a ransomware attack in early 2020 before the pandemic. The district did not pay the demanded ransom, but district officials did alert TEA and the FBI. In some cases years’ worth of classwork was lost, but the district was spared the repercussions of losing PII. 

Two educators from the district shared their experiences and insights with ATPE, illustrating how pervasive this problem is and how vulnerable school districts really are. 

Roya Dinbali, a forensics teacher at Nacogdoches High School, largely relies on pen and paper—and because she teaches in a lab, the classes are very hands-on. Although she wasn’t affected by the cyberattack in 2020 because she had backed up her work, the experience has made her more cautious of emails from even the most trusted sources.  

The signs of an email phishing attempt are not always so obvious, as she shares. In one case, cyberattackers have attempted to phish through social engineering, impersonating district employees to the point they even write their emails in the same style as the employee they’re impersonating. 

According to Dinbali, the signs are easy enough to miss in an inbox full of other messages: The sender’s email address might be cut off, only revealing the employee’s real email address, with “Gmail.com” appended to the end. 

“When you see an email from your principal saying something needs to be done right now, you get that sense of urgency. But thankfully when this first started, something told me to reach out to the ‘sender’ directly.” 

Ransomware runs rampant 

Travis Squyres, a robotics and cybersecurity teacher at Nacogdoches High School, has his students take on the inner workings of cyberattacks, learning the hardware and software of an operating system and understanding what attackers try to use to get into machines. Given the rise in ransomware attacks and other cyber incidents, he’s confident the skills they pick up in his class will serve them well in their future careers. 

One of Nacogdoches’ neighboring districts, Lufkin ISD, published a position for a cybersecurity analyst on their district career website in March. Squyres remarks: “You wouldn’t have imagined five years ago that you would need someone like this in your school district, but it’s coming.”  

And for many other Texas districts, it already has. 

Athens ISD’s 2020-21 school year was delayed by a week because of a cyberattack that occurred in July 2020. Ultimately, the school board opted to pay the ransom, citing the alternative was the “greater evil in this case.” 

Attackers targeting Allen ISD in fall 2021 took their ransomware demand a step further by contacting parents with children in the district. They sent ominous emails stating that the school district had five days to pay the demanded ransom, or it would go up to $10 million. 

Long-term effects 

The consequences of a ransomware attack can linger in the long term as well, with students’ PII being a prime target for identity theft. In children’s cases, cyberattackers can distribute the information necessary to open a line of credit fraudulently, which can take years to discover—especially when targeting a child. 

“It’s an uphill battle trying to defend yourself, finding out years down the road that this happened,” Squyres says. “And it’s not even guaranteed that you’ll have any recourse.” 

In some districts where PII was compromised, including Allen and Dallas ISDs, the affected districts offered students and parents access to a free credit monitoring report to alert them to any suspicious activity. However, that may still not be enough.  

“If a district says they’ll offer this service for two years, there’s still plenty of time beyond that for someone to use your information for identity theft,” Squyres says. 

Being proactive, not reactive 

How can school districts protect themselves from cyberattacks? Squyres acknowledges that many school districts may not have the resources available to either hire internal staff or contract the work to a third-party vendor. It wasn’t until his district came under attack that a contractor was sought out to prevent future incidents. 

“It doesn’t matter how big or small your district is. Some small schools think they won’t be noticed, but look what happened to us. Bigger districts feel immune because they have the resources, but they are just as vulnerable.” 

Squyres emphasizes the importance of being prepared going forward, saying that districts need to operate under the assumption that it will happen if it has not already. “It’s not a matter of if, but when.” 

Dinbali is relieved that the 2020 ransomware attack in Nacogdoches didn’t turn out worse than it did, but her own district’s experiences—and those of districts that were not so fortunate—are a cautionary tale to be proactive, not reactive.