Long Island schools suffered from at least 29 incidents of ransomware, computer hacks and other cyber incidents over the past three years, ranging from attacks that crippled computer networks to worker errors that exposed Social Security numbers, addresses and other private information, according to records obtained from the state Education Department.
Thirteen of those incidents involved ransomware, hacks or cyberattacks in which someone infiltrated computer systems, according to data obtained by Newsday through a Freedom of Information Law request. Sixteen were due to human error, such as a school worker accidentally releasing private information of students or staff, or an employee inadvertently clicking on a link that unleashed a malicious virus onto the network.
School districts have become prime targets for cybercriminals, especially regarding ransomware attacks, said Shaun Pleickhardt, president of Synack Technology Services in Centereach. In a ransomware attack, a hacker locks up or encrypts a computer system and demands money to unlock it.
"Schools are just a popular target. It's easy to get in, and it's easy to get them to pay in some cases," said Pleickhardt, whose company protects and repairs computer systems for businesses, individuals and schools, including some on Long Island.
WHAT TO KNOW
- Long Island schools suffered from at least 29 incidents of ransomware, computer hacks and other cyber events over the past three years.
- Incidents ranged from attacks that crippled computer networks to worker errors that exposed Social Security numbers, addresses and other personal information, according to records obtained from the state Education Department.
- Experts said school districts have become prime targets for cybercriminals, especially regarding ransomware attacks.
"Once one system is infected, you can almost guarantee that the entire network is infected. That's how malware works, to inflict as much pain as possible," he added.
Long Island districts reported 10 cyber incidents in 2021, compared with 13 in 2020 and six in 2019, according to state data. The 2019 figure included two that occurred in late 2018 but were not reported until 2019.
The data comes as the number of reported cyber incidents across the state jumped from 44 in 2020 to 71 in 2021, a 61% hike, according to a separate annual report by the state Education Department. Moreover, the 2021 number is far higher than the 23 incidents for 2019, state reports show.
State officials and experts point to two factors driving the rise in cyber-troubles. The increased use of remote instruction during the pandemic opened school networks to many more computers, some of which didn't have proper protection. Also, nearly half of the incidents last year came from human error, and state officials stressed the need for more training of staff and students to protect private information.
The state "saw a substantial increase in reported data incidents this past year," the 2021 report stated. "The increase in data incidents and the high percentage due to human error emphasizes the need for more privacy training."
The cyber incidents on Long Island included:
- The Manhasset district suffered a major ransomware attack in September, prompting school officials to temporarily shut down the computer network. The damage created weeks of havoc, as teachers couldn't access their lesson plans and tests, and district telephones, Wi-Fi and voicemail weren't working.
- Oysterponds school officials said a cyber scam in June 2020 involving fraudulent unemployment insurance claims exposed a dozen workers' Social Security numbers, home addresses and wages.
- Eastern Suffolk BOCES workers erroneously released about 350 reports, including students' names, home addresses and Regents scores in August 2019.
In 2019, when Eastern Suffolk BOCES inadvertently released student information, the result was that one group of students received private information of another group in a regional summer school program.
“This was an error on our part,” said Julie Lutz, chief operating officer of Eastern Suffolk BOCES. “We don’t like to make errors, and we do everything we can to make it right.”
That’s where training comes in, Lutz said. Turn off the computer at the end of the day. Never click on a suspicious link, she said.
Lessons learned in Manhasset
The Manhasset school board discussed the lessons learned from last year's ransomware attack at its Jan. 19 meeting.
"After being attacked, we want to be as secure as we can," Sean Adcroft, the district's director of technology instruction and libraries, said during the meeting. "Unless you have a team that is actively working on upgrading your response and defenses, you don't really stand a chance."
The district had obtained ransomware insurance and backed up files before the incident, Adcroft said. He said plans to add more protections — such as more sophisticated records management and the monitoring of the network around the clock — could cost the district up to $250,000 this school year.
The district also plans to add measures such as more complex passwords and multi-factor authentication, in which someone attempting remote access would type in their password and receive a texted code on their cellphone to gain access, he said.
Rosemary Johnson, Manhasset's deputy superintendent for business and operations, said the district needs to do more to protect the private information of students and staff.
"We are not equipped to handle the level of protection we now need," Johnson said during the meeting. "We cannot risk — with this ratcheting up of attacks against school districts across the country — to go through another episode."
Manhasset did not pay the hackers' demand for money, the amount of which school officials would not disclose. The district was able to restore the computer system from backup files. But the hackers posted files to the dark web, raising the risk of identity theft on a part of the internet accessible by means of special browsers that allow anonymity for users and website operators, officials said.
Manhasset declined to provide a full accounting of the costs to repair and restore the district's computer systems, other than to disclose it paid more than $9,000 in legal bills.
The total bill for rectifying a ransomware attack varies. Considering down time and repairs, it can cost an educational institution an average of $1.85 million, according to a study last year by Sophos, a British security software and hardware company. The findings also showed that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.
In Buffalo, school officials there approved spending nearly $9.4 million on external IT consultants to respond to a March 2021 ransomware attack.
Douglas Levin, national director of the K-12 Security Information Exchange, a Virginia nonprofit that tracks cyber incidents on schools, said many districts are secretive about their computer systems and defenses, afraid that any information released could compromise their security.
Moreover, many states lack strong laws and enforcement to mandate schools report cyber incidents, Levin said. He believes cyber incidents are greatly underreported.
Across the country, there were a total of 62 ransomware attacks on schools in 2021, according to a March report by K-12 Security Information Exchange. That figure represented a bump from the 51 ransomware attacks in 2020, though is the same number as occurred in 2019. For the first time, ransomware attacks were the most frequently disclosed school-related cyber incidents in 2021, Levin said.
New York law requires that school districts and other educational agencies report unauthorized data disclosures and breaches to the state Education Department. But the law does not authorize any penalties or other repercussions if an educational agency does not file a data incident report.
The state Education Department initially declined Newsday's request for the cyber incident reports from January 2019 to January 2022. The department said the release of the reports, sought under the state's Freedom of Information Law, could compromise the security of districts' information.
Newsday appealed the rejection and received the records, though the state redacted large portions of the reports.
Repair costs can be staggering
Even in cases where school districts don’t pay a ransom, the cost to repair a system can be staggering.
The cost to adequately protect a district's computer systems can range from $20,000 to more than $100,000, depending on the size of the district, Pleickhardt said. He said Long Island's 124 school districts often have large enough budgets — or insurance for cyberattacks — to attract criminals.
The Rockville Centre district paid a ransom of almost $100,000 to restore its data after a ransomware attack in 2019. The attack encrypted files on the system’s server until payment was made to unlock the information, the district said. The payment was covered by the district's insurance.
Some districts fought off cyberattacks.
In February 2021, Hewlett-Woodmere school officials reported that a cybercriminal gained access to a student’s account and tried to use commands to escalate the intruder's access to the system.
"Our next-gen antivirus was able to prevent additional commands from running and the attack was unsuccessful,” the incident report stated.
Sag Harbor officials reported a ransomware attack that knocked out all its computer systems in November 2019. Sag Harbor officials declined to discuss details, but said the district did not pay the ransom and that student and staff information was not compromised.
Other reports show the importance of a robust backup system.
Daniel Cunneely, technology director for the Floral Park-Bellerose district, said he was at home at 7:05 a.m. on Sept. 10, 2020, when he attempted to log in to a district server, according to one of the cyber reports.
"I saw on the server screen a ransomware message and immediately disconnected," Cunneely said, according to the report. "The district then spent the next 48 hours rebuilding the entire network from backups."
Floral Park-Bellerose school officials declined to comment on the incident.
A handful of reports detailed breaches to outside companies that handle district data. For example, the British firm Pearson provided testing software to school districts in several countries. In July 2019, several Island districts — including Franklin Square and Fire Island — were notified of a wide-ranging hack in 2018 on Pearson. The cyberattack involved the theft of millions of student records and administrator login credentials, according to the U.S. Securities and Exchange Commission.
When private information is exposed, it can lead to the identity theft of a staffer or student, said Kees Leune, associate chair of Adelphi University's mathematics and computer science department. A student may not learn of the identity theft for years, he said.
"By the time they get to 18, they might apply for a loan and find out their identity had been stolen," Leune said.
In August of last year, the SEC announced that Pearson had agreed to pay a civil penalty of $1 million to settle charges that it misled investors about the cyber intrusion.
"Pearson opted not to disclose this breach until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections," the SEC said in a statement at the time.
Expert says don't pay ransom
Cybercriminals have become increasingly creative in luring people into scams and other cyber-traps.
Several Lynbrook school workers clicked on a link to a fraudulent invoice that unleashed a virus that spread through the district's system, according to a January 2019 report. Lynbrook needed three weeks to stop the infection and restore its network. The recovery process entailed changing all passwords, re-creating numerous accounts and upgrading its defenses, the report said.
The FBI came in, agents took two machines for forensic investigation, and district workers were alerted.
"They were specifically warned that, although it is against district policy to use district computers for personal business, that any personal banking information used in such a manner may have been compromised," the report said.
Lynbrook school officials declined to discuss the incident.
Tech-savvy students also have infiltrated school computer systems.
A West Babylon student was caught accessing another student's online homework in June of last year. School officials met with the student's parents, and the student was suspended, according to the report.
After the incident, West Babylon consulted with cybersecurity professionals, changed students' passwords and instituted other safety measures, Superintendent Yiendhy Farrelly said. She declined to identify those measures, citing security concerns.
The Oysterponds school district was targeted for a scam in June 2020, Superintendent Richard Malone said. The district received claims for unemployment insurance benefits for a dozen workers, according to the report.
Red flags went up, Malone said, because every employee was working during that period. Also, the claims contained numerous errors in the spelling of people's names and addresses, he said.
"There was no one paid unemployment," Malone said. "Everybody was working."
Leune, who is also Adelphi's chief information security officer, said he advises that school systems do not pay any ransom, so long as they have backups of the data. But he acknowledged that the urgency to restore data and return to everyday instruction can be great.
"You do not want to negotiate with criminals. You can't trust them," Leune said. "But if I need to get my teachers back to teaching, it might be worth it to pay a $20,000 or $30,000 ransom. It's prioritization."
Leune said district technology systems need to be protected and monitored by qualified in-house professionals or an outside tech-security company. They should not be the responsibility of a part-time "technology director" who already has other district duties, he said.
He recommended that school systems protect themselves by backing up their information and ensuring software is up-to-date, and perform regular "penetration tests" to see how their systems hold up against attacks.
In addition, make sure someone in the district is directly responsible for the system, Leune said.
"If people are not held accountable for a standard of success, then there is no standard of success," he said.
Gov. Kathy Hochul recently announced a Joint Security Operations Center in Brooklyn that will serve as the nerve center for local and federal efforts to improve cybersecurity across the state, including schools.
Eastern Suffolk BOCES has a regional information center, one of a dozen throughout the state that provides data privacy and security support for school districts. The center, which offers a mix of free and paid services, recently began offering assessments to school districts of their cybersecurity and technology staffing needs, center director Darlene Roces said.
Lutz said staffers who handle data undergo training, which has been strengthened by a recently adopted education law that further protects the personal information of students and staff.
“In the last several years, school leaders have become more vigilant,” she said. “In my opinion, as a school leader, it is something that districts take very seriously."
With Arielle Martinez and Joe Diglio