e-dokumen.com

synchronous online classes and school community meetings. This shift also introduced a new class ofschool cyber threats that plagued districts almost to the complete exclusion of other incident typesduring that period: class invasion and its two variants.For the purposes of this report, ‘class invasion’ is defined as incidents where unauthorized individualsdisrupt online classes, often with hate speech; shocking images, sounds, and videos; and/or threats ofviolence. ‘Meeting invasion’ represents the same tactic but is aimed instead at public school board andother school community meetings, such as PTA meetings, virtual graduations, and openhouses/orientation sessions. And, ‘email invasion’ involves the compromise of a school district emailsystem for the purpose of bulk sharing of disturbing images, videos, hate speech, and/or threats ofviolence—or links to the same—to members of the school/district community.The Impact of COVID-19 on K-12 Cyber Incidents2020Disclosed K-12Cyber IncidentsQ149Q267Q3Q4Primary Incident Types(sorted by relative frequency) Ransomware and other malwareStudent and staff data breachesTargeted phishing attacks/business emailcompromise Class/meeting invasionStudent data breaches160 Class/meeting invasionStudent data breachesRansomware and other malwareDenial-of-service attacks132 Student and staff data breachesRansomware and other malwareClass/meeting invasionDenial-of-service attacksThe start of the 2020-2021 school year in the late summer/fall of 2020 (Q3) brought with it a surge incyber incidents that lasted through the end of the calendar year. Several factors are likely to havecontributed to this marked shift: Schools increased their reliance on technology tools for teaching and learning over the course oflate spring and early summer months, including in many cases by (a) deploying thousands ofnew devices to students and educators under very tight deadlines, (b) adopting new teachingand learning platforms without adequate time to train users and otherwise prepare for theirimplementation, and (c) by allowing (or encouraging) staff to use free applications and servicesthat had not undergone appropriate vetting.4 P a g e

School district IT staff—unable to physically service devices due to COVID-19 safetyrestrictions—may have granted users elevated access to their devices and/or deployed remoteaccess tools to support remote learning.Devices used during remote learning—and on untrusted networks in student and educatorhomes—were re-introduced to school networks in the fall for those districts that returned to inperson learning temporarily or in part. These devices may or may not have been updated and/orscanned for malware before that reintroduction.Threat actors may be growing increasingly sophisticated in targeting school districts, focusingtheir efforts at times during the school year that schools may be most vulnerable, including atthe beginning of the school year and over Thanksgiving and winter holidays.Calendar year 2020 offered a profound stress test of the resiliency and security of the K-12 educationaltechnology ecosystem. The evidence suggests that in rapidly shifting to remote learning school districtsnot only exposed themselves to greater cybersecurity risks but were also less able to mitigate theimpact of the cyber incidents they experienced. This suggests that school districts should revisit theircontingency plans for continuity of operations during emergencies, with a focus on IT systems used inteaching and learning and district operations. While no one can predict whether another globalpandemic will close schools to in-person learning, important lessons can and should be drawn from thisexperience to ensure that if such an event (or something like it) occurs again in the future, districts arebetter prepared.Data BreachesSince at least 2016, data breaches have been the mostcommon single type of publicly-disclosed cyber incidentexperienced by school districts. 2020 was no exception tothis long-term trend: The K-12 Cyber Incident Mapdocumented 145 data breach incidents involving publicschools (representing 36 percent of all incidents disclosedduring the year). These breaches most often involve theunauthorized disclosure of student data but may alsoinclude significant amounts of data about school districtstaff, including educators. In fact, many cases of schooldata breaches involve sensitive data on both students andstaff.During 2020, the U.S. Government Accountability Office published a study based on the dataset used bythis report series exclusively on the topic of student data breaches, Data Security: Recent K-12 DataBreaches Show That Students Are Vulnerable to Harm.4 The report found: Large numbers5 of K-12 students had their personal information compromised in data breachesbetween 2016 and 2020Compromised data included grades, bullying reports, and Social Security numbers—leavingstudents vulnerable to emotional, physical, and financial harmBreaches were accidental and intentional—with a variety of responsible actors and motives5 P a g e

Wealthier, larger, and suburban school districts were more likely to have a reported breachIndeed, there should be little argument that student data breaches can have significant repercussionsfor current and former students and their families. Take the recent case of Toledo (OH) Public Schools(TPS) as a cautionary tale. In September 2020, security researchers learned that the Maze ransomwarecartel had compromised the data systems of TPS.6 Either because the district did not meet the criminalgroup’s extortion demands or for other reasons of their own, Maze dumped 9GB of compressed TPSdata on their site, including sensitive student and employee data. These data did not appear to involvecurrent records, but those held by the district from at least 2008 to 2017.7 By February of 2021—lessthan six months from the initial incident—news outlets began reporting that parents were receivingnotifications of identity theft and credit fraud involving their TPS students:“[One parent] learned his son’s information is in the hands of people it shouldn’t be.Here are some of the messages he’s received about his elementary schooler: The first one was for denial for a credit card.Another one happened when the child was denied for a car loan because it saidthe reason was because of his income ratio.One of the last ones was to have fixed electric rates.The family got a flier talking about the student’s Toledo Edison account and thegift card he could get by switching suppliers.‘They’ve got our children’s information and they’re trying to use it,’ said [the parent].”8A Growing Threat: Breaches Impacting School Vendors and Other Third PartiesAs noted for the first time in last year’s State of K-12 Cybersecurity: Year in Review report, the K-12Cyber Incident Map has documented numerous, significant vendor (and partner) related securityincidents involving unauthorized access to student and/or educator data.9 For the second calendar yearrunning, at least 75 percent of all data breach incidents affecting U.S. public K-12 school districts werethe result of security incidents involving school district vendors and other partners. Vendors implicatedin 2020 incidents include: Active Network (Blue Bear), Aeries, Blackbaud, Interactive Medical Systems,K12 (now, Stride), and Timberline Billing Service.10 Moreover, security incidents involving school vendorsduring 2020—such as those experienced by Tyler Technologies and SolarWinds11—exposed many schooldistrict IT systems and data to significant risks.Several recent—and alarming—reports of lax vendor security practices in the education sector suggestthat at least some school district vendors have not been giving enough priority to architecting andmanaging their services with security in mind. As one report concluded: “Information security in theeducation sector has been overlooked, even though it impacts a massive number of people across thecountry.”12 Another security researcher summed up his investigations into education technologysoftware this way:"When I took a look, there was so much that was vulnerable—just a stupid amount ofvulnerability . I’m not some genius. It's just very obvious that nobody else is looking."136 P a g e

While many questions remain unanswered regarding the state of K-12 vendor and partner securitypractices, the GAO concluded that “cyberattacks carried out directly against ed-tech vendors tend tohave an especially severe impact on K-12 because they affect a large swath of students across multipleschool districts at the same time.”14 Indeed, the fact that data breaches and other security incidentscontinue to plague school district vendors and their partners should raise significant questions about thesufficiency and effectiveness of both industry self-regulatory efforts and existing data privacy andsecurity regulations.15Class Invasions, Denial-of-Service Attacks, and Related DisruptionsAs previously noted, the 2020 calendar year gave rise to an entirely new class of school cyber incident:class invasion and its two variants.16 When combined with denial-of-service attacks launched againstschool districts and their vendors during periods of remote learning, these incidents represent asignificant proportion of all publicly-disclosed incidents experienced by public school districts during2020.‘Class invasion’ is defined as incidents where unauthorized individuals disrupt online classes,often with hate speech; shocking images, sounds, and videos; and/or threats of violence.‘Meeting invasion’ represents the same tactic but is aimed instead at public school board andother school community meetings, such as PTA meetings, virtual graduations, and openhouses/orientation sessions. ‘Email invasion’ involves the compromise of a school district emailsystem for the purpose of bulk sharing of disturbing images, videos, hate speech, and/orthreats of violence—or links to the same—to members of the school/district community.Security failures by school districts and their vendors had several impacts on schools and theircommunities, including: Class disruptions and cancellations, and—in more extreme circumstances—school closures17School board meeting disruptions and cancellations18Disruption of email service to and from school community members19The exposure of young children and youth (as young as kindergarteners) to racist, sexist, andanti-Semitic hate speech; threats of violence; live sex acts; and hard-core pornography20While many of the class and meeting invasion incidents were associated with the Zoom platform, by nomeans were incidents restricted to that service. Rather, this class of incidents is better thought of as abroader set of security challenges with the rapid adoption of synchronous communications tools toenable remote learning and meetings, especially those involving real-time video sharing. Thesignificance and frequency of these events was so rapid and so alarming that by early April 2020—a fewshort weeks since schools had begun to shift to remote learning—the U.S. Department of Justice issueda press release (Federal, State, and Local Law Enforcement Warn Against Teleconferencing HackingDuring Coronavirus Pandemic) threatening perpetrators of these attacks with state or federal crimes fortheir actions:7 P a g e

“Charges may include—to name just a few—disrupting a public meeting, computerintrusion, using a computer to commit a crime, hate crimes, fraud, or transmittingthreatening communications. All of these charges are punishable by fines andimprisonment.”21One month later, the federal Cybersecurity & Infrastructure Security Agency (CISA) issued its ownguidance to the nation’s schools, recommending over 20 concrete steps that both K-12 organizationsand end users could take to minimize the risks associated with the use of video conferencing tools andonline platforms for remote learning (Cybersecurity Recommendations for K-12 Schools using VideoConferencing Tools and Online Platforms).22Notwithstanding these federal interventions in April and May of 2020—and the widely publicizedcoverage of these incidents in the media—the K-12 Cyber Incident Map documented four times as manyclass invasions in the second half of the calendar year as the first half.Recent research suggests why these attacks may have been so challenging to defend against and offersinsights into the types of controls that might effectively mitigate them:“Our findings indicate that the vast majority of calls for [class and meeting invasion] are not made by attackers stumbling upon meeting invitations or bruteforcing theirmeeting ID, but rather by insiders who have legitimate access to these meetings,particularly students in high school and college classes. This has important securityimplications, because it makes common protections against [class and meeting invasion] , such as password protection, ineffective. We also find instances of insiders instructingattackers to adopt the names of legitimate participants in the class to avoid detection,making countermeasures like setting up a waiting room and vetting participants lesseffective. Based on these observations the only effective defense against [class andmeeting invasion] is creating unique join links for each participant [emphasisadded].”23RansomwareDuring 2020, the K-12 Cyber Incident Map documented 50 instances of U.S. public K-12 school districtsbeing impacted by ransomware, a particularly virulent type of malware designed to facilitate theextortion of money from victims. Another 8 districts reported malware outbreaks that resembledransomware but were not publicly confirmed as such. Incidents were geographically dispersed, withreports of school ransomware emerging from districts across 25 different states.While the number of incidents alone should be alarming to K-12 leaders and policymakers, what sets2020 apart from prior years is less the raw number of incidents (after all, there were 24 percent more K12 ransomware incidents disclosed during 2019) and more the increase in the severity of incidents8 P a g e

experienced. In recognition of the growing threat of ransomware attacks on K-12 schools, in June the FBIissued an alert that:" cyber actors are likely to increase targeting of K-12 schools during the COVID-19pandemic [with ransomware] because they represent an opportunistic target as more ofthese institutions transition to distance learning.”24And, in December of 2020 guidance (Cyber Actors Target K-12 Distance Learning Education to CauseDisruptions and Steal Data) was jointly released by the FBI, CISA, and the Multi-State InformationSharing and Analysis Center (MS-ISAC), noting:“These issues [cybersecurity incidents, in general, and ransomware incidents,specifically] will be particularly challenging for K-12 schools that face resourcelimitations; therefore, educational leadership, information technology personnel, andsecurity personnel will need to balance this risk when determining their cybersecurityinvestments.”25There are at least three ways that the severity of ransomware incidents increased during 2020 ascompared to prior years. One—for the first time since the K-12 Cyber Incident has been tracking schoolcyber incidents, some ransomware actors exfiltrated sensitive data from school districts either before oralongside the activation of their malicious software.26 Reports suggest that these criminal actorsthreatened malicious use of the stolen data as an additional lever in extortion negotiations (i.e., ifvictims did not pay, personal data of students and educators would be openly shared in criminal forums,which would likely result in attempts at identity theft, credit fraud, and account takeover via targetedphishing). Across 7 districts that were victimized by this tactic during 2020, the personal information ofat least 560,000 current students and 56,000 current staff were exposed. However, given the fact thatdistricts maintain records of former students and staff as well, the actual number of potentially affectedindividuals could be 5–10 times higher.Two—while there are no public reports of school districts having paid extortion fees to ransomwareactors during 2020 (unlike prior years), anecdotal reports suggest that extortion demands made toschools may have significantly increased, in some cases far exceeding 1 million per incident.Three—in an extension of a trend first reported in last year’s report and exacerbated by the COVID-19pandemic, the reports of school closures and class cancellations associated with ransomware incidents(in some cases lasting a week or longer) tripled from the prior year to 15 school districts across 13states.27 As Dr. Leslie Torres-Rodriguez, Superintendent of Hartford (CT) Public Schools testified to theU.S. Senate Committee on Homeland Security & Governmental Affairs in December of 2020:9 P a g e

“The cyberattack had extremely disruptive effects on our school system, students, andstaff. We were forced to postpone our first day of school on September 8, followingmonths of intense planning for in-person learning amidst the COVID-19 pandemic. Whileour beautiful and capable students have been attending school either in-person or onlinefor nearly three months now, we are still repairing and recovering from the lingeringeffects of the attack.”28Phishing (Fraud)Anecdotal reports suggest that school districts are frequently the subject of mass email phishingcampaigns targeting individual employees and students, including gift-card scams and account takeoverattempts. In one commonly employed tactic targeting teachers, attackers abuse free email services,including Gmail, Outlook, Mail[.]ru, Hotmail, iCloud, and Yahoo to create fake email accountsimpersonating K-12 school personnel. According to Microsoft researchers:“The accounts are created based onpublicly available information, which isharvested from various websites or socialmedia platforms. They then use theseaccounts to send scam emails to theirtargets . Typical to BEC [business emailcompromise] scams and phishing attacks,the threat actors employ various lures andscenarios to fabricate a sense of legitimacyand to suggest urgency.”29As common as they may be, however, thesephishing campaigns are primarily dealt with bydistrict IT staff and rarely rise to the level of publicdisclosure.Instead, the types of incidents more likely to becaptured on the K-12 Cyber Incident Map arespear-phishing attempts involving the targeting ofthose with the authority to authorize large financialtransactions on behalf of the district. While theabsolute numbers of this type of publicly-disclosedphishing attacks against school districts are down from prior years, those that came to light reveal theseriousness with which this type of incident needs to be treated.Specifically, 4 separate incidents were reported during 2020 that confirmed thefts of school districtfunds, ranging from a low of 206,000—the result of a school official mistakenly entering school board10 P a g e

banking information into a malicious website—to a high of 9.8 million—involving the compromise ofcommunications of a district’s investment advisor and bank.30Across the approximately 20 such incidents cataloged by the K-12 Cyber Incident Map since 2016, themedian amount of money stolen in spear-phishing attacks against school administrative staff andvendors is 2 million per incident. In many cases, law enforcement is not able to retrieve these funds,and even in the cases where they can it may be weeks or more before funds are restored to the victims.11 P a g e

CHARACTERISTICS OF DISTRICTS AT RISKFor the 2020 calendar year, the K-12 Cybersecurity Resource Center catalogued 408 publicly-disclosedincidents involving 377 education organizations across 40 states. Of these, regular public school districtswere involved in the majority of cyber incidents. Notably, the number of charter schools thatexperienced incidents reached an all-time high during 2020 (equating to 11 percent of all incidentsexperienced during 2020). Other public K-12 educational entities in the 2020 dataset include regionaleducation agencies, state departments of education, state boards of education, and a state charterschool board. In line with trends from prior years, 12 percent of all school districts that experienced anincident during 2020 went on to experience at least one other incident during the year.For the 5-year period

10/3/2021 · K-12 CYBER INCIDENTS: ANALYSIS AND TRENDS . During calendar year 2020, the K-12 Cyber Incident Map cataloged 408 publicly-disclosed school incidents, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, denial-of-service attacks, and a wide variety of other .