Criminals in cyberspace make schools’ data a target

Three sets of eyes are trained on a bank of glowing screens that wraps around the room.

Data flashes. Charts fill a large panel.

The systems engineers sit in front of smaller, desktop computer monitors. They scan information as it pours in and check for problems.

The network operations center, which opened a couple of years ago in a former school turned technology hub, is the front line of the DeKalb County school district’s defense against hackers, cyberthreats, and data theft.

“We get close to about 3,000 attacks a day, and so we are able to see it and constantly make adjustments,” said chief information officer Gary Brantley, who likened the onslaught to a barrage of missiles. “The biggest focus is, we are trying to protect kids. We are trying to protect student information.”

As school districts ditch chalkboards and paper files for computers and data systems with valuable details about employees and students — from personal identification to grades, attendance records, parents’ names, and contacts — cyber criminals have targeted them.

Online scammers steal paychecks, swipe data, and even have demanded ransom after taking over district’s networks.

In recent months, three metro Atlanta school districts reported email phishing attacks. Thieves nabbed nearly $130,000 from Atlanta Public Schools and Fulton County Schools by fooling dozens of employees with fake emails that allowed hackers to gain access to their online information and reroute direct deposits.

A third district, Clayton County Public Schools, said attackers tried unsuccessfully to reroute paychecks from 28 unsuspecting workers.

In October, the U.S. Department of Education warned schools of extortion attempts in at least three states. Cyberattackers threatened to release student information and, in some cases, threatened violence unless the district paid up. Some schools have.

There have been at least 283 cybersecurity incidents at K-12 public schools since 2016, according to a tally by education technology consultant Doug Levin. He thinks his count underreports the scope of the security troubles.

“These are new threats facing schools. They are harming individuals. They are disrupting school schedules and class time and they are costing schools and taxpayers a lot of money, and we are going to need an effective and sort of comprehensive response to it,” said Levin, president of Virginia-based EdTech Strategies.

Data breaches are so expected that a policy guide the National School Boards Association released this year called them “inevitable.”

In the days after the Atlanta attack, the district warned that confidential data for all its roughly 6,000 employees may have been exposed. Bill Caritj, chief accountability and information officer, now says further forensic analysis found no evidence of a widespread problem.

Fulton and APS both repaid employees after their paychecks were stolen. Fulton officials plan to ask the school board for about $250,000 to beef up protections, while APS spent $150,000 on a forensic investigation and will pay a company $32,653 a year for three years to educate and train staff and students.

Both districts also called in law enforcement.

Districts throughout the metro area said they routinely review and update security systems to try to thwart cybercrime. They pay millions of dollars to secure networks, upgrade firewalls and purchase anti-virus protections.

For example: Gwinnett County Public Schools will spend nearly $1 million over a three-year contract for software to prevent attacks that aim to disrupt legitimate access to the system. The state’s largest district also spent roughly $2.8 million this year on other security measures, including encryption tools, as it implemented a data policy plan over the past 18 months.

After the phishing attacks, both Fulton and Atlanta schools limited access to payroll systems. They also are adding authentication steps needed to log in — such as requiring users to retrieve codes sent to their cellphones.

Gwinnett also plans to add that feature, superintendent J. Alvin Wilbanks said. And instead of allowing schools to manage their own websites, the district is centralizing that work.

A big part of the security effort is focused on education. Wilbanks said he’s training himself to look closely before opening emails.

“I don’t know that I did that six months ago. I didn’t have to worry about it too much six months ago,” he said. “One person being derelict can cause some real issues.”

Local districts are laying traps for employees by sending out managed phishing emails to see if they click on a link or provide sensitive information.

In Fulton schools, the emails are made to look as real as possible by including school images and official-looking salutations. Employees who fall for the ruse are enrolled in a training session, said Derrick Johnson, director of information technology and security.

DeKalb’s watchful computer experts will shut down access to its network, including email, in a particular region if there’s a high volume of suspicious traffic coming from a certain country.

Privacy and security advocates are pushing for stricter reporting requirements for school districts and vendors.

The federal education department encourages but does not require school districts to report data breaches. States take a patchwork approach to notification mandates, though more attention has been paid to the topic recently.

In Georgia, school districts are to notify residents whose unencrypted personal information was acquired without authorization, but districts don’t have to report incidents to the state education department.

A privacy act that became law in 2016 requires notification by the Georgia Department of Education if student data that it collects is breached. The department informs specific members of its administration as well as the superintendent of the affected school district and the attorney general.

This month, the Missouri state auditor backed a bill to require schools to alert parents of data breaches. The announcement highlighted the market for stolen children’s identities, thefts that might go undetected for years because few people monitor kids’ credit reports.

“The way the laws are written, the ways that they are actually working on the ground, it’s not consistent. It’s very muddy. We really need federal guidance on this so everyone is playing by the same rules,” said Rachael Stickland, a Colorado mother and co-chairman of the Parent Coalition for Student Privacy.

FBI investigators said there’s nothing particularly unique about school districts as a target for cybercriminals. Hackers look for vulnerabilities, said Michael F.D. Anaya, a supervisory special agent on a cyber squad in the Atlanta field office.

Some in the education field fear school systems are susceptible to online threats because many don’t have the money or dedicated security experts to fight back.

In extreme cases, hackers have terrorized communities, leading to temporary school closures.

A couple of months ago, overseas hackers tried to extort up to $150,000 worth of the digital currency Bitcoin from a Montana school district. School officials indicated they would not pay, following the advice of law enforcement, according to news reports.

“We know everything about your schools and the children in them,” read the ransom note, released by the sheriff’s office. “We know who the problem children are, who the honour performing children are, and even who many of the parents are.”

Levin, the educational technology consultant and researcher, said such breaches require high-level, outside expertise.

“When you have really sort of exceptionally skilled, nefarious hackers targeting schools there’s very little that most schools are going to be able to do to protect themselves,” he said.

Reader Comments ...

Next Up in Education

Gwinnett businesses offer teacher training, development
Gwinnett businesses offer teacher training, development

While school’s out for students, many teachers take advantage of opportunities for training and development such as Gwinnett County Public Schools’ Back to Industry Day earlier this month. Nearly 150 career and technical education teachers visited local businesses to learn industry trends, day-to-day work life and best practices, to gain...
We must distinguish between scary students and annoying ones
We must distinguish between scary students and annoying ones

Attorney Mike Tafelski has championed students unfairly suspended or expelled.  One of his cases led to a state Supreme Court ruling last year that students cannot be expelled for fighting if they can prove they acted in self-defense. In what was its first decision in a school discipline case, the high court said, “Schools with...
Atlanta school board members to discuss budget Friday 
Atlanta school board members to discuss budget Friday 

The Atlanta school board’s budget commission will meet Friday, a preliminary session before the board votes on a millage rate.  Some homeowners who pay property taxes to Atlanta Public Schools have been calling for relief amid soaring Fulton County property assessments that have, in many cases, led to much higher school tax estimates...
Deal thankful his skepticism about Georgia Lottery scholarship plan ‘was proven wrong’
Deal thankful his skepticism about Georgia Lottery scholarship plan ‘was proven wrong’

It’s not often that an elected official concedes he was wrong, but Georgia Gov. Nathan Deal did so Wednesday, getting emotional as he spoke about the benefits of the HOPE Scholarship at a ceremony at the state Capitol. Deal, was a state senator in the early 1990s during the discussion of a plan to create a lottery that would help fund scholarships...
Controversial DeKalb German teacher reassigned
Controversial DeKalb German teacher reassigned

Uwe Neuhaus, the Chamblee Charter High School German teacher removed from his classroom this spring after students complained about a racy assignment, has been reassigned to another position in the school system. Parents and teachers took to social media starting Tuesday night to decry the move. According to posts, he’s been reassigned to the...
More Stories