Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Minneapolis school. Show all posts

Cybercriminals are Targeting Schools, They are not Ready


This March, the Minneapolis Public Schools district witnessed a major ransomware attack, losing multitudes of private information such as students’ mental health records, sexual assault incidents, suspensions and truancy reports, child abuse allegations, and special education plans, that were released online. 

In 2022, a similar incident took place in a Los Angeles school district, compromising students’ psychological records. Baltimore County Public Schools had a cyberattack in 2020 that caused the district's remote learning programs to be interrupted, its business to be frozen, and cost the school system close to $10 million. The Chambersburg Area School District in Pennsylvania was the most recent educational institution to experience a cyberattack on September 1.

School districts have grown into a frequent target for school districts across the country, where cybercrime actors are regarding school systems as easy targets, due to a lack of cybersecurity infrastructure. Although many school districts are beginning to protect that infrastructure, experts say there is still much work to be done.

Following a phishing attack in 2019, the Atlanta Public Schools district deployed a private firm to look into their networks and find loopholes and vulnerabilities, according to Olufemi “Femi” Aina, the district’s executive director of information technology. Apparently, the district has also introduced security measures including multi-factor authentication on school devices, purchased insurance that covers cybersecurity liability, and backed up important school data offsite.

Additionally, the district educates both staff and kids on cybersecurity. Faculty and staff members are sent to cybersecurity training and take part in simulated phishing exercises. Multifactor authentication configuration and difficult password selection are lessons that are taught to students. 

“If you can prevent your employees or make them more aware, so that they do not click on those harmful emails, or respond to those types of messages, it can be just as effective, if not more, than a lot of different systems that we have,” Aina said.

Compromised private information like social security numbers, student health records and disability diagnoses, can result in days or weeks of missed school and lost instructional time for students. 

The federal government is also stepping in for a solution. Jill Biden, the first lady, Miguel Cardona, the secretary of education, and Alejandro Mayorkas, the secretary of homeland security, all served as cohosts of a recent Department of Education cybersecurity summit, where the agency unveiled a number of new initiatives and provided advice for school districts on how to deal with cyberthreats and what to do in the event of an attack.

According to Kristina Ishmael, deputy director of the Office of Educational Technology, the education department intends to create a special council made up of the federal, state, local, tribal, and territorial governments to coordinate policy and communication between the government and the education sector in order to strengthen school districts' cyber defenses. She described it as the "first step" in the department's plan to safeguard educational institutions from cybersecurity dangers and support their response to assaults.

Also, Federal Communications Commission Chairwoman Jessica Rosenworcel is planning on setting up a pilot cybersecurity program, along with the FCC’s E-Rate program, which was established in the early 1990s as a way to provide affordable internet for schools and libraries. 

The three-year pilot program will offer $200 million to schools and libraries eligible for the E-Rate program in order to hire cybersecurity experts and enhancing schools’ network security.

According to CoSN’s – a K-12 tech education advocacy group – CEO Keith Kruger, groups like the Consortium Networking, or CoSN have urged the FCC to upgrade the E-Rate program to include greater cybersecurity precautions. "We've been saying this is a five-alarm fire for the last two years," he said. 

“None of that really solves the problem that only about one in three school districts has a full-time equivalent person dedicated to cybersecurity,” he said. 

According to Kruger, school districts needs to be creative in their tactics to lure cybersecurity professionals their district need. Such strategies can involve collaborating with nearby community colleges, technical colleges, or vocational institutions to offer internships to students enrolled in cybersecurity programs.  

Ransomware Gangs Exposing Private Files of Students Online


Ransomware groups have lately been dumping private documents acquired from schools online. The stolen content included happens to be raw, intimate and graphic. The confidential ‘data’ leaked online involve content as explicit as describing student sexual assaults, psychiatric hospitalizations, abusive parents, truancy, or even suicide attempts. One hacked file shows a youngster pleading, "Please do something," recalling the pain of frequently running into an ex-abuser at a Minneapolis school, while other described some victims wetting their bed or crying themselves to sleep.

More than 300,000 files were posted online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Among those files were complete sexual assault case folios including this information. Medical records, complaints of discrimination, Social Security numbers, and contact information for district employees were among the other data disclosed.

The ‘nation’s schools’ that are lush with data have been a primary target for hackers. “In this case, everybody has a key,” says Ian Coldwater, a cybersecurity expert whose son attends a Minneapolis high school.

Districts – often short of funds – are also short of resources to defend themselves from or even properly respond when attacked, as months after the attack, the Minneapolis administrators did not yet promise to inform about the attack to individual victims.

Families of six students whose sexual case files were leaked reached the Association Press only after getting to know about it through a message from a reporter, alerting them of the leak.

Los Angeles Unified School District caught a ransomware attack in progress last Labor Day weekend, only to find the private paperwork of more than 1,900 former students — including psychological evaluations and medical records — leaked online. It was not until February that district officials disclosed the breach's full scope.

It turns out that the long-term effects of school ransomware attacks are not in school closures, expensive recovery efforts, or even skyrocketing cyberinsurance premiums. The AP discovered private documents available on both the open internet and the dark web, causing trauma for teachers, students, and parents.

“A massive amount of information is being posted online, and nobody is looking to see just how bad it all is. Or, if somebody is looking, they’re not making the results public,” says analyst Brett Callow of the cybersecurity firm Emsisoft.

Other major cities that experiences a data theft incident include San Diego, Des Moines and Tucson, Arizona. While the severity of attack remains unclear, the authorities were criticized for their negligence in acknowledging and responding to the ransomware attack.

School systems have been slower to respond than other ransomware targets, who have strengthened and segregated networks, encrypted data, and required multi-factor authentication.

As per a report by the Center for Internet Security, a federally funded nonprofit, one in three U.S districts had been breached by the end of 2021. According to analyst Allan Liska from cybersecurity firm Recorded Future , ransomware have affected over 5 million students in US already and the cases are likely to only increase this year.