Peter A Clarke

Educational institutions are prime targets for cyber attackers.  They hold large volumes of personal information of students and staff and often alumni.  They are also notoriously poor at maintaining proper data security.  A key response to the coronavirus epidemic by schools was to move to remote learning.  That meant greater opportunities for cyber attacks.   Attacks on educational institutions this month, so far, include Franklin College in the United States being attacked and personal information of 6,000 students possibly being taken. The Savannah College of Art and Design suffered an attack with personal information being accessed.  Someone stole personal information of students who studied there from 1989 to 1999.  Why an institution would have that information on its server is a mystery and a failure of proper data management.  The stolen data included the names and Social Security numbers of students.

But those breaches were dwarfed by a data breach of the the Los Angeles Unified School District, which enrols 600,000 students.  It is the second largest school district in the United States. It has suffered a data breach Data Breach Today reports in Los Angeles School District Hit by Ransomware Attack . It seems that at least 23 sets of credentials were compromised before the attack and offered on the dark web.  At least one of those credentials unlocked the account for the school districts virtual public network.  Tellingly, last March the FBI warned school systems that there were identified players targeting them for ransomware attacks.  In October last year the US Government Accountability Office warned the Department of Education that it had not updated its cybersecurity guidance since 2010.  Its guidance was 12 years out of date!

The article provides:

A ransomware attack is disrupting some operations at California’s largest public school system just weeks after the start of the new academic year.

The Los Angeles Unified School District says it “detected unusual activity” over the weekend that was later identified as ransomware likely motivated by criminal gain. Fundamental school system functions – including instruction and transportation, food and after-school programs – are unaffected. The district serves more than 600,000 students, making it the second-largest in the United States.

The attack disrupted the district’s email system and other applications. Critical business systems, such as employee healthcare, payroll systems, and school safety and emergency mechanisms, remain unaffected, the district says. It has sought assistance from the FBI and the Cybersecurity and Infrastructure Security Agency.

Ransomware gangs have ramped up attacks against school systems particularly after the novel coronavirus pandemic forced hasty adoption of remote tools for teaching. The FBI in March 2021 warned school systems about unidentified threat actors specially targeting K-12 schools with PYSA ransomware.

The nonprofit K12 Security Information eXchange says it knows of 62 ransomware attacks on schools during 2021 but warns that public reporting by school districts could undercount the number of actual attacks by a factor of 10 to 20.

The Government Accountability Office last October warned that the Department of Education hasn’t updated cybersecurity guidance for the K-12 sector since 2010, making the sector less likely to have access to federal support to help protect from cyberattacks.

Ransomware attacks can be costly incidents for school districts, which are typically financially pressed. A 2020 Ryuk ransomware attack against Baltimore County Public Schools cost nearly $9.7 million in recovery expenses.

Response Plan

The Los Angeles Unified School District says it will implement the following measures:

• • Set up an independent IT task force that will develop recommendations to improve the IT infrastructure security within 90 days and share monthly status updates about it.
  • Deploy skilled human resources, especially IT personnel, at all sites affected by the ransomware attack to assist with potential technical issues.
  • Conduct a “full-scale” reorganization of departments and systems to bolster data safeguards.
  • Expand ongoing assistance from federal and state law enforcement entities to include a forensic review of systems.
  • Set up an advisory council to advise on best practices and systems, such as emerging technological management protocols.
  • Appoint a technology adviser to assess security procedures and practices in the district. The individual will also review data center operations, including existing technology, critical processes and infrastructure.
  • Introduce mandatory cybersecurity training for employees.

As is usual with a data breach of this size and notoriety it has been reported widely, including by NPR, the Guardian and techcrunch just to name a few stories.

T