How school districts became a top — and lucrative — target for cybercriminals

Cyberattacks against school systems — such as the recent one in Manhasset — are becoming more aggressive and damaging, exposing personal information and costing taxpayers big bucks to repair school technology, and, in some cases, pay ransoms to retrieve stolen data, experts say.

School districts are prime targets for cybercriminals because they hold an abundance of information on staff, students and local households, which can be stolen and used for identity theft and fraud, said Shaun Pleickhardt, president of Synack Technology Services in Centereach, which protects and repairs computer systems.

Moreover, Long Island's 124 districts often have large enough budgets to attract criminals, but some don't spend enough to adequately protect their computer systems, Pleickhardt said. To do so, the cost could range, depending on the district's size, from $20,000 to more than $100,000 per year, he said.

Cybercriminals "go in like a bull in a china shop, and then it's open season," Pleickhardt said. Once a system is breached, "It is chaos and it happens fairly quickly. It starts a cascading effect within minutes."

The COVID-19 pandemic made matters worse, experts say. As schools fast-tracked the shift to remote learning, some computers handed to, and owned by, students lacked adequate security, said Nir Kshetri, a University of North Carolina-Greensboro management professor who has written on cybersecurity. Also, districts adopted online teaching platforms, some of which were vulnerable to attacks, he said.

Cyberattacks have hit schools and colleges harder than any other industry during the pandemic, Kshetri said.

A total of 408 publicly disclosed school cyberattacks and breaches occurred in the nation in 2020, according to the K12 Security Information Exchange, a Virginia nonprofit that tracks cyberattacks on schools. That's roughly a 17% increase over the 350 publicly disclosed attacks during the prior calendar year, and a 252% jump from the 116 in 2018, according to the tracker.

On Long Island, 13 districts suffered cyberattacks or data breaches from 2018 through 2020, according to K12's tracking report. They are: Rockville Centre, Montauk, Port Jefferson, Mineola, Sag Harbor, Lindenhurst, Oceanside, Bay Shore, Lynbrook, Miller Place, Remsenburg-Speonk, Great Neck, and Floral Park-Bellerose. Three of the attacks occurred in 2020, the report said.

School districts are increasingly being attacked with "ransomware," in which a hacker locks up, or encrypts, a computer system and demands money to unlock it, said Douglas Levin, national director of the K12 Security Information Exchange.

"They are absolutely the most significant types of attacks in that they cause the most harm, especially given recent trends," Levin said. He added that he believes school cyberattacks are greatly underreported, though it's a requirement to report them in New York State.

The average ransom payment by educational institutions was $112,000, according to a study this year by Sophos, a British security software and hardware company. But the total bill for rectifying a ransomware attack on an educational institution — considering down time, repairs and lost opportunities — was $2.73 million, the study said.

A 'gut punch'

Ransomware is often introduced in an email, and a worker mistakenly opens and clicks on the link or attachment. The malware enters the computer system and corrupts it, locking up information and potentially sabotaging the entire system. The hackers then demand a ransom.

The Sept. 14 ransomware attack against the Manhasset district created weeks of havoc for district telephones and voicemail, Wi-Fi, the purchase system in cafeterias, and teachers’ access to lesson plans and tests, acting Superintendent Gaurav Passi said in a letter to the community.

Manhasset was able to restore the computer system from backup files. It did not pay the hackers' demand for money, said Passi, who would not say how much they demanded.

But since then, the hackers have posted many school files to the web, including sensitive and personal information on current and former staffers and students, he said in a written communication to the school community. Worse, local students obtained and distributed some of the stolen information, including a confidential memo, he said.

"That was a gut punch," Edward Vasta, 54, a high school librarian who has worked 27 years in the Manhasset district, said of the students distributing information.

District officials held an emergency meeting last month with staff about the cyberassault, and have been checking the computers of the approximately 500 teachers and staff, installing additional protections, Vasta said.

Vasta said staffers are upset and feel vulnerable, wondering whose information might come out next.

"We were already working a year and a half in a pandemic world, worrying about our health and family," Vasta said. The cyberattack, he added, has been "enormously stressful."

Vasta is among those Manhasset employees who've accepted the district's offer of free credit monitoring. He said he's satisfied that the district is handling the crisis well.

But Donna Linden, a recently retired Manhasset clerk/typist, said the district did not notify her of the attack.

"I'm quite upset. Now I have to get fraud protection," said Linden, 68. "I'm changing all my passwords."

Linden said she recently tried to go online and a warning popped up to check all her passwords. Now she's worried that a hacker has her Social Security number and other private information.

"I called up my son. I was worried about my account, my will, my trust — whatever I own," she said.

Passi said the district is reaching out to its retiree association to send information to retirees.

Held hostage

When hackers shut down the Montauk district’s computer system in 2017, officials decided to pay the ransom of $900, Superintendent J. Philip Perna said.

The system was up and running within days, Perna said. "There was no damage. I'm knocking on wood," he said.

Afterward, the district hired an outside company, Long Island Computer Networks (LICN), to provide security for its computer system. The district pays LICN about $40,000 a year. The district also has a teacher/cybersecurity person on staff, and a part-timer who is an employee with LICN, he said.

Some of Montauk's financial data is secured by Eastern Suffolk BOCES, as well, Perna said. The startup with BOCES cost $18,000 about three years ago, and the district now pays them $7,000 yearly.

Altogether, the Montauk district's information is backed up, encrypted and stored off site, he said.

During the pandemic, when some students were working remotely from home, Perna said, the district made a point of working with internet platforms that had better security than others.

The Rockville Centre district paid almost $100,000 in 2019 to restore its data after being hacked with a ransomware virus that encrypted files on the system’s server until payment was made to unlock the information, the district said. The payment was covered by the district's insurance.

Asked if it might be cheaper for school districts to pay ransom, Levin said in an email that insurance coverage is an "integral part of the process" in many responses. "In those cases, the overall cost to recover and respond can be a very strong factor in a school district deciding whether to pay or not."

The Mineola district's server was hacked in 2019, but Superintendent Michael Nagler said at no time was there a breach of data. The virus was designed to encrypt the backup as well. Fortunately, the district had taken its backup off line to do some work and had a full backup. The district did not pay the ransom and was able to clean and rebuild its network, Nagler said at the time.

Cybercriminals attack schools in other ways. Last December, hackers breached Great Neck's North Shore Hebrew Academy website and posted video and images of swastikas, Nazi soldiers marching during World War II, and a song threatening the lives of Jewish people.

Tracking cyberattacks on schools is difficult. State officials acknowledge that some attacks are not reported. Under state law, any educational agency that experiences a "breach of security" must notify the state Department of Education.

The attackers are often elusive. Levin noted that ransomware gangs are based overseas in countries for which the U.S. does not have an extradition treaty. "There has been some recent movement to bring these criminals to justice, but it very much remains the exception to the rule that they are collared by U.S. law enforcement," he said.

Several of the Long Island school districts that have suffered cyberattacks declined a request by Newsday to talk about the security of their computer systems. They include: Lindenhurst, Sag Harbor, Port Jefferson, Floral Park-Bellerose, Lynbrook and Mineola.

The public relations firm for those districts, Syntax, said in a statement, "There is much hesitation to share such detailed cybersecurity information as these are the mechanisms that work to maintain cybersecurity safety."

A step ahead of bad guys

The state Department of Education registered 44 cyberattacks and data breaches in 2020. That was almost double the prior year, when the state logged 23 cyberattacks and breaches.

The majority of these incidents were due to the accidental disclosures of information, state education officials said. In one such incident, an undisclosed district erroneously sent an email to a student containing 66 student records that included student transcripts, names and addresses.

The number of reported ransomware incidents in the state decreased from 16 in 2019 to 10 in 2020, state officials said.

Protecting school systems against cyberattacks requires vigilance, said Robert Dillon, superintendent of Nassau BOCES. He said Nassau BOCES provides backup computer support for about 30 districts in the area.

"Computer security is an evolving process. You're trying to stay one step ahead of the bad guys," Dillon said.

Beyond the technology, worker training also is essential, Dillon said, since many places are hacked after a worker unknowingly opens an email containing ransomware or clicks on a well-disguised nefarious link.

"We have constant reminders on dos and don'ts," Dillon said.

Eastern Suffolk BOCES provides cybersecurity resources for 69 school districts in the county, said Darlene Roces, director of the BOCES office called the Suffolk Regional Information Center.

The individual districts must appoint their own data protection officer, according to a 2020 state regulation, she said. But BOCES provides guidance, training, resources and backup services, especially when a district is attacked. BOCES also provides backup services and professional development for a fee, Roces said.

The state offers guidance and funding to help districts improve their cybersecurity.

New York is expected to be eligible for $28 million over the next five years to protect against cyberattacks, as part of the $1.2 trillion bipartisan infrastructure package recently passed by Congress.

Schools hold a tremendous amount of information on staff and students, and when hackers publish the pilfered data on the internet, numerous problems can arise, said Nick Nikiforakis, a Stony Brook University associate professor of computer science.

Manhasset school officials initially said the hackers obtained Social Security numbers and driver's license numbers. Such information can help criminals take out credit cards and loans in the name of a person, Nikiforakis said.

Later, the district said sensitive and personal information on former and current staff and students was stolen as well. Such records could contain information on students and staff mental health issues, disciplinary actions and internal investigations into accusations, he said.

Student information has immense value, as well. Students have Social Security numbers and clean credit histories. Criminals can use the information for identity theft, and the child may not know for years what happened, Nikiforakis said.

Back it up, keep off-site

School districts have numerous ways to protect themselves, said Steve Morgan, founder of Cybersecurity Ventures, a research firm with offices in Northport and California. Districts need to store their data securely by backing it up and keeping it off-site. They also need to secure their systems with virus and malware protection and firewalls, and have an incident response plan in place should the system be breached, Morgan said.

Districts, he added, also should have a cybersecurity expert on staff, continually monitor the system, and test it regularly for flaws.

As for districts paying ransoms, Morgan said in an email that doing so "emboldens the criminals. It's an invitation to attack again. And even when you pay a ransom there is no assurance that you'll get your data back."

For people with home computers, Morgan recommended having reputable antivirus and malware software, backing up data, and using hard-to-remember passwords that differ from account to account.

He also recommended using multifactor authentication with important accounts. So when a person accesses, for instance, their online bank account, the bank will text a code to their phone for entry. Without that phone in hand, a person cannot call up the accounts, he said.

Should a person discover their information has been stolen, Morgan recommended that they freeze their credit, notify their bank and credit card companies, and change all passwords.

"We're still in the early days of this digital society," Morgan said. "The tactics [of cybercriminals] are getting worse. We're starting to see extortion and threats."

By Craig Schneider

craig.schneider@newsday.com@Scraigo

Craig Schneider is a Long Island native and Stony Brook University alumnus. He joined Newsday as a general assignment reporter in January 2018 after 20 years at the Atlanta Journal-Constitution.