Education Week - November 29, 2017 - 10
DIGITAL DIRECTIONS > TRACKING NEWS
AND IDEAS IN EDUCATIONAL TECHNOLOGY
Time and Money
CONTINUED FROM PAGE 1
CoSN, a professional association for K-12 technology leaders.
"The challenges are becoming more sophisticated, and
everyone is at greater risk," Krueger said.
Many experts agree.
In February, for example, the Internal Revenue Service
issued an "urgent alert" about scammers targeting school
districts, with the aim of fraudulently obtaining employees' federal W-2 forms, payroll information, or other data
that could be used to steal money and file false tax returns. Dozens of districts fell victim to such attacks.
And last month, the U.S. Department of Education issued a fresh advisory, warning of criminal hackers seeking to take advantage of schools' weak security by stealing or locking up their sensitive data, then holding them
for ransom. The announcement followed hacks of schools
in Iowa, Montana, and Texas believed to be perpetrated
by an overseas criminal group known as Dark Overlord.
All told, at least 235 K-12 cybersecurity-related incidents have been reported by media outlets since January
2016, said Douglas A. Levin, the CEO of consulting group
EdTech Strategies. Far more have almost certainly gone
unreported, he said.
The threat is many-sided.
While often overlooked, staff and students are frequent
sources of cyber mayhem, Levin said-some because
they're out to cause harm, others because they don't know
School districts have also done a poor job of ensuring
that outside companies provide adequate cyber protections. The CoSN/Education Week Research Center survey,
for example, found that nearly 3 in 4 district IT leaders
say they are not "adding security safeguards to vendor
And while the K-12 sector has spent heavily on digital
devices, software, and bandwidth, investments in cybersecurity have not kept pace. That's left many district IT
departments understaffed and under-resourced-just as
they're being asked to fend off the types of attacks that
have overcome such corporate titans as Equifax, Target,
"In general, our data and IT systems are under assault,"
Levin said. "It would be negligence on the part of K-12
leaders to believe that somehow schools don't represent
a big new target."
Photos by Lauren Grabelle for Education Week
Steve Bradshaw, the
superintendent of the
Columbia Falls, Mont., schools,
attributes his district's cyber
vulnerability to turnover in IT
leadership, and decisions not
to upgrade its servers and
invest in new cyber
Mounting Cyberattacks Put Schools on the Defensive
'We Should Have Known Better'
Glastonbury, Conn., schools fall victim to phishing scam
In February, a new central-office employee in
Connecticut's 6,000-student Glastonbury schools received
an email that appeared to be from one of her colleagues.
The message requested that she send W-2 tax information
for all the district's 1,600 employees.
In August, however, federal prosecutors said the
message was actually sent by Daniel Adekunle Ojo, a
Nigerian citizen who had been living in North Carolina.
In August, Ojo was charged with fraud and identify theft;
authorities say he used a fake email address to steal
Glastonbury school employees' information, then file 122
false tax returns seeking a total of $596,897 in refunds.
Ojo has pled not guilty to the charges.
Such scams are pervasive throughout K-12, said Douglas
A. Levin of EdTech Strategies, who has been tracking
cybersecurity incidents in schools for almost two years.
Among other districts where sensitive employee
information was successfully phished: Manatee County,
Fla., where hackers obtained the names, addresses,
wages, and Social Security numbers of more than 7,700
school employees; and Atlanta, where scammers stole
more than $56,000 from employees by successfully
rerouting their direct-deposit payments.
Fake emails were also recently used to scam districts
in Boulder, Colo., and Lake Ridge, Ill., out of hundreds of
thousands of dollars in school construction funds.
Given such losses, Levin said, it's surprising-and
alarming-that fewer than half of district informationtechnology leaders describe phishing attacks as a
One contributing factor: With so much recent attention and
legislation around student-data privacy, many schools have
been focused on identifying what information is collected
from students and how it is used, rather than on how to keep
safe the full scope of sensitive information on their networks.
That was the case in Glastonbury, Superintendent Alan
Bookman said in an interview with Education Week.
But after falling victim to the phishing scam, Bookman
said, his district has revamped training to provide outside
guidance to administrative staff in departments such as
human relations and payroll, where sensitive employee
information is kept. Protocols around staff-email use are
stricter. And all Glastonbury employees are now required
to pick up duplicate tax forms in person.
"We should have known better," Bookman said of the
mistakes Glastonbury made."We're living in a different
'The Threat Is Real'
Dark Overlord hackers attack Columbia Falls, Mont., schools
Steve Bradshaw was looking at another terrifying email
An overseas criminal hacking group known as Dark
Overload had already compromised one of the servers
used by the 2,100-student Columbia Falls, Mont., school
district, where Bradshaw is the superintendent. The
hackers had stolen reams of sensitive information,
including special education and behavioral-health
reports on children, and sent parents graphic messages
threatening their children with violence. And in a sevenpage ransom letter, the group had promised an "immense
and unfathomable amount of financial and reputational
harm" if Columbia Falls failed to meet its demand for
$150,000 in a cryptocurrency known as Bitcoin.
Now, the hackers said they had breached the district's
internet-connected security-camera systems. The message
said they had been watching the law-enforcement officials
outside the school, accurately describing their location and
For the first time in his 42-year career, Bradshaw said,
he started sleeping with his shotgun."It was a full-blown
crisis," he said.
The attacks spread to 32 schools throughout Montana's
Flathead Valley, affecting 15,000 students. The FBI got
involved. Columbia Falls shut down for three days. When
schools reopened, parents wanted to maintain armed
patrols of the hallways.
After the threats of violence were deemed not credible,
Bradshaw's district decided not to pay the ransom.
But two months after the attack, the threat of a
massive release of sensitive student data still hangs over
the area. And the Dark Overlord hackers have apparently
branched out, claiming credit for similar cyberattacks of
schools in Iowa and Texas.
Bradshaw attributes his district's vulnerability to a
number of factors. Not long before the hack occurred, he
said, the Columbia Falls' IT director had retired, and the
2½-person department had lost one of its part-time staff
During the prior years, Bradshaw said, the district
To better understand the cybersecurity challenges facing
schools, Education Week talked with school leaders in Arizona,
Connecticut, Montana, and Texas about the cybersecurity incidents
they faced, and how they responded.
had also neglected to upgrade its servers or purchase
new cybersecurity software. The money instead went
to buying digital devices for students, interactive white
boards, virtual-reality science-lab software for classrooms,
and better Wi-Fi access for schools.
"The tech came on fast," Bradshaw said. "And there
were a lot of things we didn't really understand that you
shouldn't do anymore, like leaving access to our servers
through outside entry points."
That combination of more technology, new threats, and
underinvestment in security is common inside many of
the nation's schools, said Keith Krueger, the CEO of the
Consortium for School Networking.
Most districts don't have a staff member dedicated
specifically to cybersecurity, CoSN recently reported.
And many district IT leaders have been slow to grasp
the severity of the threat they face. Just 27 percent said
ransomware attacks similar to what happened in Columbia
Falls are a significant problem, according to results from a
new CoSN/Education Week Research Center survey.
"K-12 is not a sector with huge technical capacity,"
Krueger said. "The threat is real, and there needs to be