The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts. 

Cybercriminals are not only seeking ransom payouts but are also targeting students’ personal information, including credit details, assessments, grades, health records, and more. The potential socio-emotional impact on students, coupled with financial implications, adds urgency to addressing cybersecurity challenges in schools. 

The sheer volume of devices and users in educational settings creates a complex environment prone to human failure. Challenges include phishing attacks, exploitation of vulnerabilities, and the rising ransomware threat, leading to downtime, recovery efforts, and paid ransoms. 

“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep. Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. 

Other exposed data included medical records, discrimination complaints, Social Security numbers and contact information of district employees. In the U.S., 1,981 schools across 45 districts fell victim to cybersecurity attacks in 2022, almost doubling the previous year’s incidents, according to an Emsisoft report based on aggregated publicly available data. 

Schools are “definitely not funded enough to support cyber warfare,” said Josh Heller, supervisor of information security engineering at Digi International. Penn Manor School District has 5,500 students who collectively generate more than two million individual data points in the core student management system alone. 

An attack that targets a business, through an employee or an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. Combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, this vector is long-tailed but fruitful for attackers. 

Cybercriminals seeking ransom payouts or identity thieves going after a student’s spotless credit can gain access to identifying information, assessments, assignments, grades, homework, health records, attendance history, discipline records, special education records, home communications and more.  

The increase in ransomware attacks in schools poses severe emotional and physical risks to students. Besides extorting money from students, cybercriminals also target sensitive personal data, making the potential harm even greater. Educators are suffering from major downtime, and resurgent action must be a result of these attacks. 

To protect students, and to prevent further damage, it is imperative that urgent action be taken, increased funding be provided, and cybersecurity be enhanced. To strengthen educational institutions against cyber threats escalating in number and intensity, it is imperative that awareness is elevated and collaborative efforts are put into place.