Ransomware attacks on schools have doubled in the last year and pose a growing threat to public and private districts across the country, according to a new report from S&P Global Ratings.
The credit rating agency’s report found that such attacks have not affected schools’ credit quality or resulted in long-term operational problems so far. Successful attacks can prove costly, requiring technology investments, ransom payments, legal fees, cyber security consultant fees and costs associated with credit monitoring services for affected people, according to the S&P report.
“Depending on the extent of the incident, a cyber attack can have longer-term operational and budgetary implications and affect overall financial flexibility and credit strength,” according to the S&P report.
Cyber attacks have caused problems for school districts.
In January, 30,000 students in Des Moines Public Schools missed school when Iowa’s largest school district had to close after a ransomware attack. The district said it did not and would not pay any ransom in response to the attack. Los Angeles Unified, the second-largest school district in the nation, dealt with a cyber attack in September 2022. Los Angeles also did not pay a ransom. Other districts have paid ransoms. S&P said 50% of providers paid to get data back.
“It’s really hard to know who is [paying], it’s not something that a lot of school districts want to advertise,” said Keith Krueger, the CEO of The Consortium for School Networking, a professional association for K-12 education technology leaders. “The cybercriminals have figured that out. Even if you pay, you may or may not get back your data. They are criminals.”
Other school districts have had to cancel classes, delay exams and deal with the theft of the personal information of students and staff.
School districts maintain highly sensitive information. Criminals see schools as “target rich and cyber poor,” S&P found.
Recovering from cyber attacks can take time, according to a U.S. Government Accountability Office report released this week. That report found the loss of learning after an attack “ranged from 3 days to 3 weeks and recovery time ranged from 2 to 9 months.” The GAO report found financial losses to school districts ranged from $50,000 to $1 million. The GAO also noted that the “precise national magnitude of cyberattacks on K-12 schools is unknown.” Experts said many attacks are not reported. The issue isn’t limited to schools. It can affect the vendors that districts hire. In 2022, a cyber attack on Illuminate Education, an education technology company based in California, affected more than 1 million students, including students in New York, California, Connecticut, Washington, Oklahoma and Colorado.
This summer, the Minnesota Department of Education reported that a technology vendor, MOVEit, got hit with a cyber attack. That breach affected organizations around the globe, including at least 500 other state and federal agencies, financial services firms, pension funds and other types of companies and nonprofit groups. Sensitive student data was exposed for about 95,000 MDOE students in foster care, including dates of birth and county of foster placement, according to the S&P report.
A 2022 Multi-State Information Sharing and Analysis Center report found that 83% of survey respondents had cyber insurance and 63% had prepared a response plan for a cyber attack.
“Unfortunately not all schools may be able to maintain cyber insurance given skyrocketing premiums, which may weaken risk mitigation preparedness,” S&P noted.
In July, Federal Communications Commission Chairwoman Jessica Rosenworcel proposed up to $200 million over three years to help harden cyber defenses in K-12 schools and libraries.
“With the growing number of sophisticated cyberattacks on schools and especially the rise in malicious ransomware attacks that harm our students, now is the time to take action,” Rosenworcel said at the time.
The S&P report noted that: “The K-12 school sector, and the government sector, can lag behind the private sector in adopting stronger cyber security mitigation measures.”