Report: 'Record-Breaking' Cyber Attacks on Schools in 2020

2020 marked a "record-breaking" year for cyber attacks against schools, according to a recent report. Now, education policy organizations are asking policymakers to step up to help mitigate security threats.

K-12 Graph
A graphic from the K-12 Cybersecurity Resource Center and K12 Security Information Exchange report titled, "The State of K-12 Cybersecurity: 2020 Year in Review."
Parents, students and teachers have had to navigate a minefield of cyber threats over the past year as schools continue to invest in ed-tech tools and devices needed for remote learning during COVID-19 school closures. At the same time, cyber criminals found new avenues for data breaches and phishing scams, as well as ransomware and malware attacks targeting school districts in 2020.

According to a report released earlier this month by a public data resource called the K-12 Cybersecurity Resource Center, in association with the nonprofit K12 Security Information Exchange, 2020 marked a “record-breaking” year for cyber attacks against public schools in the U.S. The report includes data from the center's K-12 Cyber Incident Map, which recorded 408 publicized school cyber attacks in 2020, representing an 18 percent increase over 2019.

The problem has only intensified due to vulnerabilities found in the American public school system, according to the report, which notes that many districts still lack the IT staff and security protocols needed for modern cybersecurity systems. For sophisticated cyber criminals, this means easier access to financial documents and sensitive data about students, parents, educators and others involved in school operations.

cyberincidents.PNG
Nearly 40 percent of K-12 cyber incidents included data breaches and leaks, while approximately 12 percent involved ransomware. Others included denial-of-access attacks, which impeded access to programs widely used for remote learning.

Schools also reported an emerging threat of "cyber invasions," where unauthorized users gain access to online classes and video conference meetings, often disrupting them with hate speech, threats of violence and obscene images, sounds and videos.

Larger or higher-income districts with more access to technology are often among the most vulnerable to cyber threats due to their size and reliance on technology for instruction and communication, according to the report. Students and teachers engaged in remote learning during COVID-19 school closures remain especially vulnerable to cyber attacks on personal devices and networks.

Keith Krueger, CEO of the ed-tech advocacy group the Consortium for School Networking (CoSN), said CoSN's surveys have found cybersecurity a top concern among chief technology officers across the nation. The consortium, along with other education policy organizations, submitted
a petition in February asking the Federal Communications Commission to invest in cybersecurity protections for public K-12 school districts through the FCC's E-rate program. The petition estimated the annual cost for recommended next-generation firewalls, endpoint protection and advanced security features for nationwide K-12 districts at $2.389 billion.

“There’s very little money for districts on the human side. In fact, our surveys show only one in every five school districts has a full-time staff person dedicated to cybersecurity,” Krueger said, adding that the FBI and other federal agencies have designated K-12 schools as the most-targeted public sector for cyber threats.

“We’ve got multiple problems, but this problem hasn't gotten the serious attention that it needs from policymakers." 

With little standing in the way of cyber criminals targeting schools and gaining access to sensitive information on administrative systems, CoSN Cybersecurity Project Director Amy McLaughlin said malicious actors can target high school students approaching adulthood for identity theft.

“The first time a student finds out about that is when they go to apply for things like financial aid for college, and then finding out their credit has been destroyed,” she said of these data breaches.

What's more, cyber criminals are getting better at their methods, according to Krueger and McLaughlin. Phishing scams targeting remote students and educators often appear to come from recognizable email addresses at first glance.

“In a school environment, about 3 percent of teachers click inappropriately on phishing scams,” Krueger said. “That was jumping to 15 to 20 percent from home, so a lot of cyber criminals are getting into the network.”

Cyber criminals have not let up their attacks against public schools in 2021. Ransomware attacks against schools have continued, including one major incident in Buffalo Public Schools this month that forced the district to cancel virtual classes entirely. These threats have continually increased in numbers and severity, according to the report.

“It isn't just Buffalo,” Krueger warned, adding that ransomware extortion attacks have disrupted day-to-day operations in several other districts, including Clark County, Nev. and Baltimore County schools, among others.

CoSN and other education policy organizations have pushed for legislative solutions to the problem, urging support for the Enhancing K-12 Cybersecurity Act, recently reintroduced by Reps. Jim Langevin, D-RI, and Doris Matsui, D-CA, to bolster school cybersecurity funding and data tracking of cyber incidents in schools.

“We’re concerned that there isn’t [enough] data collected by the federal government,” Krueger said. “We think that Homeland Security should collect good data that’s actionable.”

Aside from policies, the report also called on digital learning platform companies and device providers “to differentiate themselves in the education market by focusing on meaningful security features," and it encouraged schools to promote digital literacy.

McLaughlin believes promoting cybersecurity awareness among students, in particular, remains critical in the fight against cyber criminals.

“You need teachers to model good digital literacy and good digital hygiene,” she said.

Brandon Paykamian is a staff writer for Government Technology. He has a bachelor's degree in journalism from East Tennessee State University and years of experience as a multimedia reporter, mainly focusing on public education and higher ed.