Criminals in cyberspace make schools’ data a target

Three sets of eyes are trained on a bank of glowing screens that wraps around the room.

Data flashes. Charts fill a large panel.

The systems engineers sit in front of smaller, desktop computer monitors. They scan information as it pours in and check for problems.

The network operations center, which opened a couple of years ago in a former school turned technology hub, is the front line of the DeKalb County school district’s defense against hackers, cyberthreats, and data theft.

“We get close to about 3,000 attacks a day, and so we are able to see it and constantly make adjustments,” said chief information officer Gary Brantley, who likened the onslaught to a barrage of missiles. “The biggest focus is, we are trying to protect kids. We are trying to protect student information.”

As school districts ditch chalkboards and paper files for computers and data systems with valuable details about employees and students — from personal identification to grades, attendance records, parents’ names, and contacts — cyber criminals have targeted them.

Online scammers steal paychecks, swipe data, and even have demanded ransom after taking over district’s networks.

In recent months, three metro Atlanta school districts reported email phishing attacks. Thieves nabbed nearly $130,000 from Atlanta Public Schools and Fulton County Schools by fooling dozens of employees with fake emails that allowed hackers to gain access to their online information and reroute direct deposits.

A third district, Clayton County Public Schools, said attackers tried unsuccessfully to reroute paychecks from 28 unsuspecting workers.

In October, the U.S. Department of Education warned schools of extortion attempts in at least three states. Cyberattackers threatened to release student information and, in some cases, threatened violence unless the district paid up. Some schools have.

There have been at least 283 cybersecurity incidents at K-12 public schools since 2016, according to a tally by education technology consultant Doug Levin. He thinks his count underreports the scope of the security troubles.

“These are new threats facing schools. They are harming individuals. They are disrupting school schedules and class time and they are costing schools and taxpayers a lot of money, and we are going to need an effective and sort of comprehensive response to it,” said Levin, president of Virginia-based EdTech Strategies.

Data breaches are so expected that a policy guide the National School Boards Association released this year called them “inevitable.”

In the days after the Atlanta attack, the district warned that confidential data for all its roughly 6,000 employees may have been exposed. Bill Caritj, chief accountability and information officer, now says further forensic analysis found no evidence of a widespread problem.

Fulton and APS both repaid employees after their paychecks were stolen. Fulton officials plan to ask the school board for about $250,000 to beef up protections, while APS spent $150,000 on a forensic investigation and will pay a company $32,653 a year for three years to educate and train staff and students.

Both districts also called in law enforcement.

Districts throughout the metro area said they routinely review and update security systems to try to thwart cybercrime. They pay millions of dollars to secure networks, upgrade firewalls and purchase anti-virus protections.

For example: Gwinnett County Public Schools will spend nearly $1 million over a three-year contract for software to prevent attacks that aim to disrupt legitimate access to the system. The state’s largest district also spent roughly $2.8 million this year on other security measures, including encryption tools, as it implemented a data policy plan over the past 18 months.

After the phishing attacks, both Fulton and Atlanta schools limited access to payroll systems. They also are adding authentication steps needed to log in — such as requiring users to retrieve codes sent to their cellphones.

Gwinnett also plans to add that feature, superintendent J. Alvin Wilbanks said. And instead of allowing schools to manage their own websites, the district is centralizing that work.

A big part of the security effort is focused on education. Wilbanks said he’s training himself to look closely before opening emails.

“I don’t know that I did that six months ago. I didn’t have to worry about it too much six months ago,” he said. “One person being derelict can cause some real issues.”

Local districts are laying traps for employees by sending out managed phishing emails to see if they click on a link or provide sensitive information.

In Fulton schools, the emails are made to look as real as possible by including school images and official-looking salutations. Employees who fall for the ruse are enrolled in a training session, said Derrick Johnson, director of information technology and security.

DeKalb’s watchful computer experts will shut down access to its network, including email, in a particular region if there’s a high volume of suspicious traffic coming from a certain country.

Privacy and security advocates are pushing for stricter reporting requirements for school districts and vendors.

The federal education department encourages but does not require school districts to report data breaches. States take a patchwork approach to notification mandates, though more attention has been paid to the topic recently.

In Georgia, school districts are to notify residents whose unencrypted personal information was acquired without authorization, but districts don’t have to report incidents to the state education department.

A privacy act that became law in 2016 requires notification by the Georgia Department of Education if student data that it collects is breached. The department informs specific members of its administration as well as the superintendent of the affected school district and the attorney general.

This month, the Missouri state auditor backed a bill to require schools to alert parents of data breaches. The announcement highlighted the market for stolen children’s identities, thefts that might go undetected for years because few people monitor kids’ credit reports.

“The way the laws are written, the ways that they are actually working on the ground, it’s not consistent. It’s very muddy. We really need federal guidance on this so everyone is playing by the same rules,” said Rachael Stickland, a Colorado mother and co-chairman of the Parent Coalition for Student Privacy.

FBI investigators said there’s nothing particularly unique about school districts as a target for cybercriminals. Hackers look for vulnerabilities, said Michael F.D. Anaya, a supervisory special agent on a cyber squad in the Atlanta field office.

Some in the education field fear school systems are susceptible to online threats because many don’t have the money or dedicated security experts to fight back.

In extreme cases, hackers have terrorized communities, leading to temporary school closures.

A couple of months ago, overseas hackers tried to extort up to $150,000 worth of the digital currency Bitcoin from a Montana school district. School officials indicated they would not pay, following the advice of law enforcement, according to news reports.

“We know everything about your schools and the children in them,” read the ransom note, released by the sheriff’s office. “We know who the problem children are, who the honour performing children are, and even who many of the parents are.”

Levin, the educational technology consultant and researcher, said such breaches require high-level, outside expertise.

“When you have really sort of exceptionally skilled, nefarious hackers targeting schools there’s very little that most schools are going to be able to do to protect themselves,” he said.

Reader Comments ...

Next Up in Education

APS plans budget, pay hikes amid revenue questions
APS plans budget, pay hikes amid revenue questions

Atlanta Public Schools expects Fulton County residential property values to increase after being frozen at 2016 levels. But school officials are facing major revenue unknowns while creating the budget for the fiscal year that begins July 1 .  The board is scheduled to tentatively adopt the budget May 7 and consider final approval June 4...
DeKalb school bus drivers stage sickout
DeKalb school bus drivers stage sickout

DeKalb County School District Superintendent Steve Green had a stern message for the 400 or so bus drivers who called in sick Thursday: There will be consequences. They found out quickly how severe, with at least a half dozen drivers confirming late Thursday they had been fired for calling out of work, and apparently being vocal about drivers&rsquo...
Student events to be smaller than month ago
Student events to be smaller than month ago

At Lakeside High School this morning, student activities for a national walkout will center around ways young people can continue having their voice heard, from registering to vote to engaging in conversations on continued activism. The purpose of last month’s walkout was to remember the 17 students and staff members killed at Marjory Stoneman...
19 years later, Columbine massacre echoes in Ga. schools
19 years later, Columbine massacre echoes in Ga. schools

The enhanced security at Atlanta Public Schools’ Daniel McLaughlin Therrell High School for the start of the 1999-2000 school year was nothing to write home about, said Verdaillia Turner, who taught there at the time. School resource officers roamed the halls more frequently. Then there were the metal detectors, at the old building’s main...
Keeping schools safe: ‘Not everyone can do this job’
Keeping schools safe: ‘Not everyone can do this job’

Donald Rene remembers April 20, 1999 very well. Like most school police officers, he prays that the shootings at Columbine High School in Colorado on that date are never copied at his school. He and many like him say that incident changed the dynamics of school safety forever. When he first started working in schools, administrators didn’t want...
More Stories