Locked out of class

The state of Maryland on Nov. 24 blasted Baltimore public schools’ computer network for not guarding personal information, saying “significant risks” threatened its security. The next day, a cyberattack froze the schools’ website and email and grading system, halting classes for 115,000 students until Dec. 2.

Old networks, weak security, and troves of personal information make schools a tempting target for hackers. Online learning during the pandemic has only made school districts more vulnerable.

Microsoft estimates that 63 percent of 10 million malware encounters it monitored in the past 30 days occurred on devices used for education. Pew Trusts reported that between July and September, at least 16 districts across the country delayed classes, lost data, or were forced to repair thousands of school-issued laptops due to cyberattacks.

Sometimes hackers have no clear motivation: “Zoombombers” drop into online classes and distract or harass students. Attackers sent more than 8 million racist emails to students in one Florida county.

But often, hackers want money.

In a ransomware attack, computer criminals encrypt a target’s data to make it unreadable and then demand payment in exchange for a decryption key. Sometimes they extract sensitive information and threaten to leak it online if their demands aren’t met. In September, hackers posted grades and Social Security numbers from students in Las Vegas, The Wall Street Journal reported.

To avoid this, some schools hand over the money against the advice of the FBI, which argues giving in only encourages future attacks. Cybersecurity firm Coveware reported average ransom payments across all industries climbed to $111,605 in early 2020, up 33 percent from late 2019. The Journal found school districts and colleges paid at least $12 million in ransoms to hackers over the last year. Once paid, 97 percent of hackers provide the promised decryption key, according to Coveware.

Sometimes districts find a way out. In Athens, Texas, a school board authorized a $50,000 ransom payment before the school discovered an unencrypted backup of its data that allowed it to reset the compromised devices and regain control. The district posted an update to its Facebook page: “Athens ISD has a message for its cyberattackers: Nope.”