As Cyberattacks Increase on K-12 Schools, Here Is What’s Being Done

In recent years, cyberattacks on K-12 schools have increased. Not only do these attacks disrupt educational instruction and school operations, they also impact students, their families, and teachers.  

The scale and number of attacks increased during COVID-19 as more schools moved to remote learning and increased their reliance on IT services.

Today’s WatchBlog post looks at the growing risks and impacts of cyberattacks on schools, and our work on federal efforts to assist K-12 schools.

Image

What are the potential impacts of cyberattacks?

For our new report, we spoke with school districts and other stakeholders about the impacts cyberattacks have had on their schools, students, and community. Local and state officials told us that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time could take anywhere from 2 to 9 months. The financial impacts on schools can be broad. Officials reported monetary losses to school districts ranging from $50,000 to $1 million due to expenses caused by a cyber incident. These costs included, for example, replacement of computer hardware and enhancing cybersecurity to prevent future attacks.

Cyberattacks can also result in the disclosure and theft of students’ and school employees’ (like teachers’) personal information. Schools and school districts collect and store a lot of personal information about students and employees. In a 2020 report, we found that information compromised as the result of a data breach included things like students’ grades, bullying reports, and social security numbers—leaving students vulnerable to emotional, physical and financial harm.

How are schools being attacked?

Individuals carrying out cyberattacks on schools can use several techniques. These include:

• Phishing, which is an attempt to acquire data or other resources through a fraudulent solicitation in email or on a website.
• Ransomware, which is a type of malicious software that attempts to block access to computer or data systems. During a ransomware attack, the perpetrator demands a fee to be paid in exchange for restoring access.
• Distributed denial-of-service attacks, which prevent or impair authorized use of networks, systems or applications by multiple machines operating together to overwhelm a target.
• Video conferencing disruptions, meaning attacks that disrupted teleconferences and online classrooms, often with pornographic or hate images and threatening language.

Image

Some examples of when these methods of cyberattacks were used on public schools include:

• In December 2021, a vendor for Chicago Public Schools was a victim of a ransomware attack in which more than 500,000 students’ and staff members’ personal information was disclosed. The data included students’ names, schools, dates of birth, genders, school identification numbers, state student identification numbers, and course information from previous school years.
• In February 2021, Winthrop Public Schools in Massachusetts was the victim of a denial-of-service attack that disrupted learning and teaching on the district’s networks and web-based systems. This included emails, learning platforms and video conferencing services—all of which became essential to education during the pandemic when classes were taught remotely.
• Similarly, in September 2020, Miami-Dade County Public Schools was a victim of a series of denial-of-service attacks. This disrupted learning and teaching on the district’s networks and web-based systems.
• Connecticut officials reported a school district had to shut down for 3 to 4 days due to a cybersecurity incident. This was followed by another incident that involved the Connecticut school district being re-infected 2 to 3 days later. Officials said the additional attack was enabled by the school district’s cybersecurity insurance company not providing sufficient recovery response.
• In California, officials told us students could obtain software for $30 to $50 on the internet that would allow them to disrupt school for 20 to 30 minutes during an attack.

Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021

Image

Listen to our recent podcast with GAO’s Dave Hinchman to learn more about the impacts of cyberattacks on K-12 public schools.

What is the role of the federal government?

There is a national strategy for combatting cyberattacks led by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). As part of that strategy, the Department of Education (Education) is responsible for coordinating and collaborating K-12 public school cybersecurity efforts with other federal entities—such as the FBI and DHS, as well as state, local and tribal entities. Education and CISA provide cybersecurity-related products and services to schools, such as online safety guidance. But beyond that, we found that these two federal entities otherwise have little-to-no interaction with other federal partners or the K-12 community regarding cyberattacks. This limits the federal role and ability to help schools.

We recommended that Education and DHS improve its coordination, enhance schools’ awareness of the federal services available to them, and measure the effectiveness of products and services used by schools.

Learn more about cyberattacks and their impact on K-12 schools by checking out our recent report.

• Comments on GAO’s WatchBlog? Contact blog@gao.gov.