How to keep your information safe in wake of school cybersecurity attacks
Go Deeper.
Create an account or log in to save stories.
Like this?
Thanks for liking this story! We have added it to a list of your favorite stories.
Students and teachers in Rochester Public Schools finished last week without Internet because suspicious activity on the district’s technology network forced them offline. This incident comes after a hacker group called Medusa stole the personal information of students and employees from Minneapolis Public Schools, demanded $1 million from the district and then posted the personal information to the dark web.
There have been 1,619 cybersecurity-related incidents in K-12 public schools in the U.S. between 2016 and 2022, according to the K12 Security Information eXchange, a national nonprofit that helps schools protect themselves from cybersecurity threats.
MPR News host Angela Davis spoke with two cybersecurity experts: Eric Brown, the founder and managing partner of IT Audit Labs, and Doug Levin, the director of the K12 Security Information eXchange about why schools are so vulnerable to cybersecurity attacks, why and how hackers steal personal information, and how people can keep their digital information safe.
Here are some key moments of the conversation.
Turn Up Your Support
MPR News helps you turn down the noise and build shared understanding. Turn up your support for this public resource and keep trusted journalism accessible to all.
The following transcript has been edited for length and clarity. Use the audio player above to listen to the full conversation.
Why are schools the target of cybersecurity attacks?
Doug Levin: There are three big reasons that schools are the target of these cyber attacks.
They are disproportionately vulnerable: They are resource poor, do not have the latest technology, and do not have a lot of cybersecurity expertise.
They manage money and data: Maintaining their facilities, transportation and food service takes money. They may be the largest employer in some communities and that is more than enough money to get the attention of cyber criminals. They also hold a lot of really valuable data about school community members, whether those be parents, educators, or students themselves.
They provide valuable services: There is very little appetite for schools having to be knocked offline, like we have seen in Minnesota, and then parents having to scramble to take care of their kids. There is a desire to resolve these incidents as quickly as possible with as little disruption as possible.
What information could hackers get from schools?
Levin: There's two populations that have data that is valuable to criminals.
Adults involved in the school system: Educators, parents, volunteers or even contractors with the school district can be targets for identity theft, tax fraud and payroll fraud.
Underaged people: Cyber criminals can abuse the identities of children and youth for years and years without being discovered. It’s only when those children turn the age of majority and apply for a college loan or maybe try to rent their first apartment, that credit record is pulled, and they find out that it has been abused for years. Adults tend to have folks who are monitoring them like a credit card company, but no such thing is happening for children and youth.
What can hackers do with your information?
Eric Brown: Unfortunately, the way our credit system is set up, credit starts open. So you get a social security number, and it's open and available for you to use. You don't have to request permission or give authorization to open that credit. So what happens is our social security numbers are floating around, and anyone who gets access to that number can use that for malicious purposes.
And as Doug said, could open credit up in your name, take a loan out, there are fraudulent tax forms that are filed to try to get your tax rebate before you do. But there's these malicious actors can really hold on to that number and manipulate it.
What usually happens in the aftermath of a cyber attack?
Brown: What typically happens is companies that have cyber insurance will call that insurance broker, they'll get a breach coach involved, and they'll start understanding how that breach occurred, and what information was disclosed. And organizations that hold personally identifiable information — things like social security numbers — have regulatory response requirements in which they must notify individuals that were impacted by the breach.
So lawyers get involved, and they really restrict what information can be talked about publicly. As a cybersecurity professional, it bothers me because if the other school districts or other municipalities in the area had that information, they can make sure that that they were protected. But unfortunately, the lawyers typically try to restrict that conversation, because they don't know yet what happened.
Once they do, they'll release information to the individuals who did have their personally identifiable information compromised. They'll get a breach notification letter, and typically an offer for some form of credit protection or credit monitoring for one, two or three years.
What can victims of cyber attacks do?
Brown: What we recommend is freezing your credit so that only you can unlock it and it's not available, just floating out there for everyone to use. We have to request it by working with the individual credit bureaus to freeze that credit. There are four bureaus: Equifax, TransUnion, Experian and Innovis and you can work directly with those bureaus for free to freeze your credit.
It takes about five minutes. You get a passcode or a pin to unlock that credit at a future date, if you're going to go get a loan for a home or a car, you'll unlock that credit for a period of time and you can specify that time. You essentially unfreeze that credit for that period of time to get your loan.
Once you do that, the other really important thing to do is to make sure that you're using a password manager, and you're not reusing passwords across multiple sites. And that's really where a lot of these malicious actors can compromise multiple pieces of our information because we're reusing our passwords.
Are there agencies that you could report to if something might be putting people at risk?
Levin: It's a particularly tough question. Depending on the business, there are some enforcement agencies that may be interested in learning, whether that's HHS (U.S. Department of Health & Human Services), the FTC (Federal Trade Commission) or even the SEC (U.S. Security and Exchange Commission). That tends to be for private companies, particularly larger ones, or maybe healthcare institutions or hospitals or financial institutions, basically regulated industries. But it does, I think, underscore that this is a leadership and governance issue.
Ultimately, an organization is only going to take it as seriously as that organization values that issue and unfortunately, we see too many cases that leaders either don't understand these issues very well or appreciate these risks, or are not willing to spend the money and time to put in place a training regime across an organization and ensuring that the practices are being audited and up to snuff.
Useful resources
Subscribe to the MPR News with Angela Davis podcast on: Apple Podcasts, Google Podcasts, Spotify or RSS.