You may think the top targets for cyberattacks are giant corporations, major organizations or government entities -- but you'd be wrong. Experts say cyberattacks against K-12 schools are on the rise, and they're getting worse.
A survey by cybersecurity firm Sophos shows the education sector reported the highest rates of ransomware attacks of all industries surveyed in 2023, suggesting that school districts are particularly exposed to attacks. According to the survey, 80% of lower education providers reported that they were hit by ransomware in 2023 -- up from 56% the previous year.
Another analysis by Emsisoft, a cybersecurity firm that tracks ransomware attacks, shows 45 school districts reported they were attacked in 2022, and the impacted districts had 1,981 schools. That number more than doubled in 2023, to 108 districts. The impacted districts had a total of 1,899 schools between them and at least 77 of the 108 had data stolen, Emsisoft said.
"We have no explanation for this increase," the firm said in a statement.
The actual number of attacks is likely higher than reported, as not all incidents are made public. In any event, schools are left crippled after such attacks, and the effects often trickle down to students.
According to the U.S. Government Accountability Office, the loss of learning following a cyberattack typically ranges from three days to three weeks, and recovery time ranges from two to nine months.
In 2022, the most significant incident was the attack on Los Angeles Unified School District which, with more than 1,300 schools and 500,000 students, is the second largest district in the U.S., per Emsisoft.
In 2023, the most notable attack happened on Minneapolis Public Schools, which disrupted learning at multiple schools and resulted in nearly 200,000 stolen files being posted online, Emsisoft reported. The files included details of campus rape and teacher abuse cases, students' psychological reports, and other extremely sensitive information.
The Government Accountability Office says the COVID-19 pandemic amplified the vulnerability of K-12 schools to potentially serious cyberattacks as schools were forced to increase their reliance on IT to deliver educational instruction to students. On top of that, Sophos says hackers are simply getting better at what they do.
"The percentage of attacks that resulted in data being encrypted in lower education organizations has gone up from 72% in 2022 to 81% in the 2023 survey," the firm said. "This high encryption rate likely reflects the ever-increasing skill level of adversaries who continue to innovate and refine their approaches."
Once hackers have stolen the data -- which can include sensitive information about students and staff, from social security numbers to sexual assault records and discipline history -- they threaten to release it publicly as a way to extort payments. The data can also be sold to other bad actors on the dark web, where it can be used to steal a child's identity. In 2023, 73% of schools that were attacked used backups for data recovery, while almost half (47%) paid the ransom, per Sophos -- and the average ransom payment to recover data was $1.59 million.
According to Sophos, the top root causes of cyberattacks at K-12 schools are compromised credentials (36%), malicious emails or phishing (30%) and exploited vulnerabilities (29%).