THE STATE OF K-12THESTATEOFK-12CYBERSECURITY:CYBERSECURITY:2020 YEAR IN REVIEW2020 YEAR IN REVIEWDouglas A. LevinK-12 Cybersecurity Resource Center and the K12 Security Information ExchangeMarch 10, 20210 P a g e

THE STATE OF K-12 CYBERSECURITY: 2020 YEAR IN REVIEWThe State of K-12 Cybersecurity: 2020 Year in Review report is joint product of the K12 SecurityInformation Exchange and the K-12 Cybersecurity Resource Center based on data from its K-12 CyberIncident Map, the definitive source of data on publicly-disclosed U.S. public K-12 cyber incidents.ABOUT THE K-12 CYBERSECURITY RESOURCE CENTERThe K-12 Cybersecurity Resource Center is the home of the K-12 Cyber Incident Map and is devotedsolely to reporting news and information related to school cybersecurity and privacy issues. It ismaintained as a free, independent resource for the K-12 community by EdTech Strategies, LLC inpartnership with the K12 Security Information Exchange (K12 SIX). Learn more at:https://k12cybersecure.comABOUT THE K12 SECURITY INFORMATION EXCHANGEThe K12 Security Information Exchange (K12 SIX) is a new national non-profit membership organizationdedicated solely to helping to protect K-12 schools—public and private—from cybersecurity threats,such as ransomware and phishing attacks. It was launched in late 2020 as an affiliate of the GlobalResilience Federation in response to the growing cybersecurity challenges facing schools nationwide,and in recognition of the unique challenges and context of K-12 operations. For more information,including on how school districts can participate, please visit https://www.k12six.orgSuggested Citation:Levin, Douglas A. (2021). “The State of K-12 Cybersecurity: 2020 Year in Review.” EdTechStrategies/K-12 Cybersecurity Resource Center and the K12 Security Information Exchange.Available online at: t 2021 by EdTech Strategies, LLC, and the K12 Security Information ExchangeCover photo credit: Brandon Morgan on Unsplash

THE STATE OF K-12 CYBERSECURITY: 2020 YEAR IN REVIEWACKNOWLEDGEMENTSSince the K-12 Cyber Incident Map first launched in 2017 it has benefited from many individual andcorporate supporters who have contributed financial and intellectual resources to its maintenance andongoing development. The 2020 report—produced in partnership with the K12 Security InformationExchange (K12 SIX)—was strengthened via collaborations with: Jennifer Gregory, Jacqueline M. Nowicki,Sherri Doughty, and Jessica Mausner of the U.S. Government Accountability Office; Danny Y. Huang ofthe Tandon School of Engineering, New York University; Dissent Doe, the pseudonym of a privacyadvocate and activist who blogs about privacy issues and data security breaches on PogoWasRight.organd; Tawnell Hobbs, the national K-12 education reporter for The Wall Street Journal;members of the OpsecEdu community; and, Staci Elliott, Jaquar Harris, Eric Lankford, Pat McGlone, andArshad Somani of K12 SIX.Nonetheless, K-12 cyber incident data, data analyses, and all other report contents are the soleresponsibility of the K-12 Cybersecurity Resource Center (operated by EdTech Strategies, LLC) and donot necessarily represent the views of collaborators, sponsors, or donors. All errors and omissionscontained herein are the responsibility of the author.CHAMPION SPONSORDEFENDER SPONSORS

INTRODUCTIONAn unprecedented year offered a profound stress test of the resiliency and security of the K-12educational technology ecosystem.The discipline of cybersecurity concerns itself with ensuring the confidentiality, integrity, and availabilityof information technology (IT) systems and the data they collect and process. In the public U.S. K-12context—a 760 billion sector, serving over 50 million students1—school IT systems collect and managesensitive data about students, about their parents, guardians, and families, about educators and otherschool staff, and about school district operations. In some cases, these IT systems are locally hosted onschool district premises or in shared hosting arrangements with other local government entities;increasingly, they are hosted by an ecosystem of vendors ‘in the cloud’ on systems accessible by anyinternet-connected device.While there are myriad benefits to the adoption and use of IT systems by school districts—and to thecollection and sharing of education-related data with trusted partners—it is important we acknowledgethat any adoption of technology also introduces cybersecurity risk. As one leading cybersecurity expertfamously quipped:“The only truly secure system is one that is powered off, cast in a block of concrete andsealed in a lead-lined room with armed guards—and even then I have my doubts.”2Indeed, this sentiment illustrates why the goal of leadership is not to guarantee absolute security—afool’s errand and impossible task. Instead, leaders identify potential risks, weigh the likelihood andsignificance of the real-world impacts of those risks should they come to pass, and—by allocatingbudgets and directing activities—manage them appropriately in the context of other pressingorganizational needs.While policymakers and school leaders have historicallydemonstrated a reasonable duty of care in protectingmembers of their school communities from physicalsecurity risks, natural disasters, and extreme weatherevents (and—as 2020 has demonstrated—public healthrisks, too), such a commitment has heretofore largely beenabsent with respect to school-related cybersecurity risk.1 P a g eThe Growing Threat ofSchool Cyber Incidents# of Disclosed IncidetnsUnfortunately, in the context of U.S. K-12 public schooldistricts, cybersecurity risks are now neither hypothetical,nor trivial—as the State of K-12 Cybersecurity: Year inReview report series and a growing body of evidence hasdocumented.350040030020010002016 2017 2018 2019 2020Calendar Year

Notwithstanding the heroic education IT-related efforts to ensure remote learning was possible for largenumbers of elementary and secondary students and their teachers during 2020, it should hardly besurprising that school district responses to the COVID-19 pandemic also revealed significant gaps andcritical failures in the resiliency and security of the K-12 educational technology ecosystem.Indeed, the 2020 calendar year saw a record-breaking number of publicly-disclosed school cyberincidents. Moreover, many of these incidents were significant: resulting in school closures, millions ofdollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and creditfraud.This report—the latest in The State of K-12 Cybersecurity: Year in Review series—aims to help remedy aninformation gap on the risks from school cybersecurity incidents. By cataloging and analyzing data fromevery publicly-disclosed cybersecurity incident affecting public elementary and secondary educationagencies across the U.S. in the prior calendar year, the series is intended to spur greater attention to thechallenges of securing the K-12 IT ecosystem and suggest ways that policymakers and school districtleaders might effectively respond.The K-12 Cyber Incident Map: following chapters of the report present findings from detailed analyses of cyber incidentsexperienced by school districts during the past year, as well as the characteristics of those districts. Itconcludes with recommendations to address the growing challenge of cybersecurity risk management inthe K-12 sector writ large. An appendix offers information on the data and methods relied on for thisreport.2 P a g e

K-12 CYBER INCIDENTS: ANALYSIS AND TRENDSDuring calendar year 2020, the K-12 Cyber Incident Map cataloged 408 publicly-disclosed schoolincidents, including student and staff data breaches, ransomware and other malware outbreaks,phishing attacks and other social engineering scams, denial-of-service attacks, and a wide variety ofother incidents. This is 18 percent more incidents than were publicly-disclosed during the prior calendaryear (and—for the second year running—the most since the K-12 Cyber Incident Map first startedtracking these incidents in 2016). This equates to a rate of more than two incidents per school day overthe course of 2020.What were the most frequently experienced types of school-related cyber incidents reported during2020? Data assembled for the K-12 Cyber Incident Map are instructive.K-12 CYBER INCIDENT TYPES: 20205%2%Denial of Service12%Phishing45%RansomwareData Breach/Leak36%OtherNote: ‘Other’ incidents include unattributed malware, class and meeting invasions, email invasion,website and social media defacement, and a wide variety of related and/or low-frequency incidents.The Impact of the COVID-19 PandemicDue to the COVID-19 pandemic, the presentation of school cyber incidents over the course of the 2020calendar year was atypical, testing the nimbleness of school district IT staff and operations.The first quarter of 2020 largely pre-dated the pandemic. As such—unsurprisingly—the pattern ofschool cyber incidents disclosed during that period seems a direct extension of trends from the prioryear.However, the second quarter of 2020—coincident with the rise of COVID-19 and the correspondingadoption of remote learning—marked a sharp departure from the prevailing trend line. During thisperiod, many schools ceased in-person operations and adopted video conferencing tools to host3 P a g e

synchronous online classes and school community meetings. This shift also introduced a new class ofschool cyber threats that plagued districts almost to the complete exclusion of other incident typesduring that period: class invasion and its two variants.For the purposes of this report, ‘class invasion’ is defined as incidents where unauthorized individualsdisrupt online classes, often with hate speech; shocking images, sounds, and videos; and/or threats ofviolence. ‘Meeting invasion’ represents the same tactic but is aimed instead at public school board andother school community meetings, such as PTA meetings, virtual graduations, and openhouses/orientation sessions. And, ‘email invasion’ involves the compromise of a school district emailsystem for the purpose of bulk sharing of disturbing images, videos, hate speech, and/or threats ofviolence—or links to the same—to members of the school/district community.The Impact of COVID-19 on K-12 Cyber Incidents2020Disclosed K-12Cyber IncidentsQ149Q267Q3Q4Primary Incident Types(sorted by relative frequency) Ransomware and other malwareStudent and staff data breachesTargeted phishing attacks/business emailcompromise Class/meeting invasionStudent data breaches160 Class/meeting invasionStudent data breachesRansomware and other malwareDenial-of-service attacks132 Student and staff data breachesRansomware and other malwareClass/meeting invasionDenial-of-service attacksThe start of the 2020-2021 school year in the late summer/fall of 2020 (Q3) brought with it a surge incyber incidents that lasted through the end of the calendar year. Several factors are likely to havecontributed to this marked shift: Schools increased their reliance on technology tools for teaching and learning over the course oflate spring and early summer months, including in many cases by (a) deploying thousands ofnew devices to students and educators under very tight deadlines, (b) adopting new teachingand learning platforms without adequate time to train users and otherwise prepare for theirimplementation, and (c) by allowing (or encouraging) staff to use free applications and servicesthat had not undergone appropriate vetting.4 P a g e

School district IT staff—unable to physically service devices due to COVID-19 safetyrestrictions—may have granted users elevated access to their devices and/or deployed remoteaccess tools to support remote learning.Devices used during remote learning—and on untrusted networks in student and educatorhomes—were re-introduced to school networks in the fall for those districts that returned to inperson learning temporarily or in part. These devices may or may not have been updated and/orscanned for malware before that reintroduction.Threat actors may be growing increasingly sophisticated in targeting school districts, focusingtheir efforts at times during the school year that schools may be most vulnerable, including atthe beginning of the school year and over Thanksgiving and winter holidays.Calendar year 2020 offered a profound stress test of the resiliency and security of the K-12 educationaltechnology ecosystem. The evidence suggests that in rapidly shifting to remote learning school districtsnot only exposed themselves to greater cybersecurity risks but were also less able to mitigate theimpact of the cyber incidents they experienced. This suggests that school districts should revisit theircontingency plans for continuity of operations during emergencies, with a focus on IT systems used inteaching and learning and district operations. While no one can predict whether another globalpandemic will close schools to in-person learning, important lessons can and should be drawn from thisexperience to ensure that if such an event (or something like it) occurs again in the future, districts arebetter prepared.Data BreachesSince at least 2016, data breaches have been the mostcommon single type of publicly-disclosed cyber incidentexperienced by school districts. 2020 was no exception tothis long-term trend: The K-12 Cyber Incident Mapdocumented 145 data breach incidents involving publicschools (representing 36 percent of all incidents disclosedduring the year). These breaches most often involve theunauthorized disclosure of student data but may alsoinclude significant amounts of data about school districtstaff, including educators. In fact, many cases of schooldata breaches involve sensitive data on both students andstaff.During 2020, the U.S. Government Accountability Office published a study based on the dataset used bythis report series exclusively on the topic of student data breaches, Data Security: Recent K-12 DataBreaches Show That Students Are Vulnerable to Harm.4 The report found: Large numbers5 of K-12 students had their personal information compromised in data breachesbetween 2016 and 2020Compromised data included grades, bullying reports, and Social Security numbers—leavingstudents vulnerable to emotional, physical, and financial harmBreaches were accidental and intentional—with a variety of responsible actors and motives5 P a g e

Wealthier, larger, and suburban school districts were more likely to have a reported breachIndeed, there should be little argument that student data breaches can have significant repercussionsfor current and former students and their families. Take the recent case of Toledo (OH) Public Schools(TPS) as a cautionary tale. In September 2020, security researchers learned that the Maze ransomwarecartel had compromised the data systems of TPS.6 Either because the district did not meet the criminalgroup’s extortion demands or for other reasons of their own, Maze dumped 9GB of compressed TPSdata on their site, including sensitive student and employee data. These data did not appear to involvecurrent records, but those held by the district from at least 2008 to 2017.7 By February of 2021—lessthan six months from the initial incident—news outlets began reporting that parents were receivingnotifications of identity theft and credit fraud involving their TPS students:“[One parent] learned his son’s information is in the hands of people it shouldn’t be.Here are some of the messages he’s received about his elementary schooler: The first one was for denial for a credit card.Another one happened when the child was denied for a car loan because it saidthe reason was because of his income ratio.One of the last ones was to have fixed electric rates.The family got a flier talking about the student’s Toledo Edison account and thegift card he could get by switching suppliers.‘They’ve got our children’s information and they’re trying to use it,’ said [the parent].”8A Growing Threat: Breaches Impacting School Vendors and Other Third PartiesAs noted for the first time in last year’s State of K-12 Cybersecurity: Year in Review report, the K-12Cyber Incident Map has documented numerous, significant vendor (and partner) related securityincidents involving unauthorized access to student and/or educator data.9 For the second calendar yearrunning, at least 75 percent of all data breach incidents affecting U.S. public K-12 school districts werethe result of security incidents involving school district vendors and other partners. Vendors implicatedin 2020 incidents include: Active Network (Blue Bear), Aeries, Blackbaud, Interactive Medical Systems,K12 (now, Stride), and Timberline Billing Service.10 Moreover, security incidents involving school vendorsduring 2020—such as those experienced by Tyler Technologies and SolarWinds11—exposed many schooldistrict IT systems and data to significant risks.Several recent—and alarming—reports of lax vendor security practices in the education sector suggestthat at least some school district vendors have not been giving enough priority to architecting andmanaging their services with security in mind. As one report concluded: “Information security in theeducation sector has been overlooked, even though it impacts a massive number of people across thecountry.”12 Another security researcher summed up his investigations into education technologysoftware this way:"When I took a look, there was so much that was vulnerable—just a stupid amount ofvulnerability . I’m not some genius. It's just very obvious that nobody else is looking."136 P a g e

While many questions remain unanswered regarding the state of K-12 vendor and partner securitypractices, the GAO concluded that “cyberattacks carried out directly against ed-tech vendors tend tohave an especially severe impact on K-12 because they affect a large swath of students across multipleschool districts at the same time.”14 Indeed, the fact that data breaches and other security incidentscontinue to plague school district vendors and their partners should raise significant questions about thesufficiency and effectiveness of both industry self-regulatory efforts and existing data privacy andsecurity regulations.15Class Invasions, Denial-of-Service Attacks, and Related DisruptionsAs previously noted, the 2020 calendar year gave rise to an entirely new class of school cyber incident:class invasion and its two variants.16 When combined with denial-of-service attacks launched againstschool districts and their vendors during periods of remote learning, these incidents represent asignificant proportion of all publicly-disclosed incidents experienced by public school districts during2020.‘Class invasion’ is defined as incidents where unauthorized individuals disrupt online classes,often with hate speech; shocking images, sounds, and videos; and/or threats of violence.‘Meeting invasion’ represents the same tactic but is aimed instead at public school board andother school community meetings, such as PTA meetings, virtual graduations, and openhouses/orientation sessions. ‘Email invasion’ involves the compromise of a school district emailsystem for the purpose of bulk sharing of disturbing images, videos, hate speech, and/orthreats of violence—or links to the same—to members of the school/district community.Security failures by school districts and their vendors had several impacts on schools and theircommunities, including: Class disruptions and cancellations, and—in more extreme circumstances—school closures17School board meeting disruptions and cancellations18Disruption of email service to and from school community members19The exposure of young children and youth (as young as kindergarteners) to racist, sexist, andanti-Semitic hate speech; threats of violence; live sex acts; and hard-core pornography20While many of the class and meeting invasion incidents were associated with the Zoom platform, by nomeans were incidents restricted to that service. Rather, this class of incidents is better thought of as abroader set of security challenges with the rapid adoption of synchronous communications tools toenable remote learning and meetings, especially those involving real-time video sharing. Thesignificance and frequency of these events was so rapid and so alarming that by early April 2020—a fewshort weeks since schools had begun to shift to remote learning—the U.S. Department of Justice issueda press release (Federal, State, and Local Law Enforcement Warn Against Teleconferencing HackingDuring Coronavirus Pandemic) threatening perpetrators of these attacks with state or federal crimes fortheir actions:7 P a g e

“Charges may include—to name just a few—disrupting a public meeting, computerintrusion, using a computer to commit a crime, hate crimes, fraud, or transmittingthreatening communications. All of these charges are punishable by fines andimprisonment.”21One month later, the federal Cybersecurity & Infrastructure Security Agency (CISA) issued its ownguidance to the nation’s schools, recommending over 20 concrete steps that both K-12 organizationsand end users could take to minimize the risks associated with the use of video conferencing tools andonline platforms for remote learning (Cybersecurity Recommendations for K-12 Schools using VideoConferencing Tools and Online Platforms).22Notwithstanding these federal interventions in April and May of 2020—and the widely publicizedcoverage of these incidents in the media—the K-12 Cyber Incident Map documented four times as manyclass invasions in the second half of the calendar year as the first half.Recent research suggests why these attacks may have been so challenging to defend against and offersinsights into the types of controls that might effectively mitigate them:“Our findings indicate that the vast majority of calls for [class and meeting invasion] are not made by attackers stumbling upon meeting invitations or bruteforcing theirmeeting ID, but rather by insiders who have legitimate access to these meetings,particularly students in high school and college classes. This has important securityimplications, because it makes common protections against [class and meeting invasion] , such as password protection, ineffective. We also find instances of insiders instructingattackers to adopt the names of legitimate participants in the class to avoid detection,making countermeasures like setting up a waiting room and vetting participants lesseffective. Based on these observations the only effective defense against [class andmeeting invasion] is creating unique join links for each participant [emphasisadded].”23RansomwareDuring 2020, the K-12 Cyber Incident Map documented 50 instances of U.S. public K-12 school districtsbeing impacted by ransomware, a particularly virulent type of malware designed to facilitate theextortion of money from victims. Another 8 districts reported malware outbreaks that resembledransomware but were not publicly confirmed as such. Incidents were geographically dispersed, withreports of school ransomware emerging from districts across 25 different states.While the number of incidents alone should be alarming to K-12 leaders and policymakers, what sets2020 apart from prior years is less the raw number of incidents (after all, there were 24 percent more K12 ransomware incidents disclosed during 2019) and more the increase in the severity of incidents8 P a g e

experienced. In recognition of the growing threat of ransomware attacks on K-12 schools, in June the FBIissued an alert that:" cyber actors are likely to increase targeting of K-12 schools during the COVID-19pandemic [with ransomware] because they represent an opportunistic target as more ofthese institutions transition to distance learning.”24And, in December of 2020 guidance (Cyber Actors Target K-12 Distance Learning Education to CauseDisruptions and Steal Data) was jointly released by the FBI, CISA, and the Multi-State InformationSharing and Analysis Center (MS-ISAC), noting:“These issues [cybersecurity incidents, in general, and ransomware incidents,specifically] will be particularly challenging for K-12 schools that face resourcelimitations; therefore, educational leadership, information technology personnel, andsecurity personnel will need to balance this risk when determining their cybersecurityinvestments.”25There are at least three ways that the severity of ransomware incidents increased during 2020 ascompared to prior years. One—for the first time since the K-12 Cyber Incident has been tracking schoolcyber incidents, some ransomware actors exfiltrated sensitive data from school districts either before oralongside the activation of their malicious software.26 Reports suggest that these criminal actorsthreatened malicious use of the stolen data as an additional lever in extortion negotiations (i.e., ifvictims did not pay, personal data of students and educators would be openly shared in criminal forums,which would likely result in attempts at identity theft, credit fraud, and account takeover via targetedphishing). Across 7 districts that were victimized by this tactic during 2020, the personal information ofat least 560,000 current students and 56,000 current staff were exposed. However, given the fact thatdistricts maintain records of former students and staff as well, the actual number of potentially affectedindividuals could be 5–10 times higher.Two—while there are no public reports of school districts having paid extortion fees to ransomwareactors during 2020 (unlike prior years), anecdotal reports suggest that extortion demands made toschools may have significantly increased, in some cases far exceeding 1 million per incident.Three—in an extension of a trend first reported in last year’s report and exacerbated by the COVID-19pandemic, the reports of school closures and class cancellations associated with ransomware incidents(in some cases lasting a week or longer) tripled from the prior year to 15 school districts across 13states.27 As Dr. Leslie Torres-Rodriguez, Superintendent of Hartford (CT) Public Schools testified to theU.S. Senate Committee on Homeland Security & Governmental Affairs in December of 2020:9 P a g e

“The cyberattack had extremely disruptive effects on our school system, students, andstaff. We were forced to postpone our first day of school on September 8, followingmonths of intense planning for in-person learning amidst the COVID-19 pandemic. Whileour beautiful and capable students have been attending school either in-person or onlinefor nearly three months now, we are still repairing and recovering from the lingeringeffects of the attack.”28Phishing (Fraud)Anecdotal reports suggest that school districts are frequently the subject of mass email phishingcampaigns targeting individual employees and students, including gift-card scams and account takeoverattempts. In one commonly employed tactic targeting teachers, attackers abuse free email services,including Gmail, Outlook, Mail[.]ru, Hotmail, iCloud, and Yahoo to create fake email accountsimpersonating K-12 school personnel. According to Microsoft researchers:“The accounts are created based onpublicly available information, which isharvested from various websites or socialmedia platforms. They then use theseaccounts to send scam emails to theirtargets . Typical to BEC [business emailcompromise] scams and phishing attacks,the threat actors employ various lures andscenarios to fabricate a sense of legitimacyand to suggest urgency.”29As common as they may be, however, thesephishing campaigns are primarily dealt with bydistrict IT staff and rarely rise to the level of publicdisclosure.Instead, the types of incidents more likely to becaptured on the K-12 Cyber Incident Map arespear-phishing attempts involving the targeting ofthose with the authority to authorize large financialtransactions on behalf of the district. While theabsolute numbers of this type of publicly-disclosedphishing attacks against school districts are down from prior years, those that came to light reveal theseriousness with which this type of incident needs to be treated.Specifically, 4 separate incidents were reported during 2020 that confirmed thefts of school districtfunds, ranging from a low of 206,000—the result of a school official mistakenly entering school board10 P a g e

banking information into a malicious website—to a high of 9.8 million—involving the compromise ofcommunications of a district’s investment advisor and bank.30Across the approximately 20 such incidents cataloged by the K-12 Cyber Incident Map since 2016, themedian amount of money stolen in spear-phishing attacks against school administrative staff andvendors is 2 million per incident. In many cases, law enforcement is not able to retrieve these funds,and even in the cases where they can it may be weeks or more before funds are restored to the victims.11 P a g e

CHARACTERISTICS OF DISTRICTS AT RISKFor the 2020 calendar year, the K-12 Cybersecurity Resource Center catalogued 408 publicly-disclosedincidents involving 377 education organizations across 40 states. Of these, regular public school districtswere involved in the majority of cyber incidents. Notably, the number of charter schools thatexperienced incidents reached an all-time high during 2020 (equating to 11 percent of all incidentsexperienced during 2020). Other public K-12 educational entities in the 2020 dataset include regionaleducation agencies, state departments of education, state boards of education, and a state charterschool board. In line with trends from prior years, 12 percent of all school districts that experienced anincident during 2020 went on to experience at least one other incident during the year.For the 5-year period

10/3/2021 · K-12 CYBER INCIDENTS: ANALYSIS AND TRENDS . During calendar year 2020, the K-12 Cyber Incident Map cataloged 408 publicly-disclosed school incidents, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, denial-of-service attacks, and a wide variety of other .