It could be years before the FBI identifies the data theft of a student. In the meantime, cyber criminals have had a lot of time to abuse that person’s credit records.
That’s one of the reasons cyberattacks are up dramatically in kindergarten through 12th grade. According to the K-12 Cybersecurity Center, in 2020, 408 were reported in 377 school districts in 40 states.
Colleges and universities are also being hit hard. In November 2022, Cincinnati State had a data breach exposing information about faculty and students. The FBI is investigating.
Doug Levin is the national director of the K12 Security Information eXchange (K12 SIX), dedicated solely to helping school districts protect themselves from emerging cybersecurity risks like ransomware, phishing and data breaches.
“And while you may think that there’s nothing valuable in student data — after all, why should I care about Johnny or Susie’s algebra grade — the fact of the matter is, what these criminals are looking for is identity information.”
Levin says some superintendents and school board members don’t understand the risk. It must go beyond anti-malware technology and better monitoring tools. He says schools should also make sure their vendors are secure.
“Over the last several years, in fact, it has been school district vendors and suppliers that have been the source of the largest data breaches involving student and teacher data,” he says.
In October, the Federal Trade Commission brought a case against education tech provider Chegg for careless security that exposed the personal data of millions of customers. Levin says there is growing interest within school districts to do a better job of defending themselves against those risks. State and federal lawmakers are also paying attention.
Levin says if elected officials think school districts are not doing enough they may pass laws to actually “require schools and their vendors to meet at least some semblance of baseline cybersecurity defensive standards.”
Security training for students?
University of Cincinnati's Greg Winger specializes in the politics of cybersecurity and says if you haven't taken the right precautions, you need to do so now.
“We practice fire drills, tornado drills, robbery drills. We need to think more about practicing cybersecurity incidence response,” he says.
He's seeing huge upticks in criminal incidents, in part because it's easier to commit cybercrime. Winger says you can even buy prepackaged ransomware and it's easier to get paid with cryptocurrency.
“Admittedly the recent news of cryptocurrency hasn’t been great,” says Winger. “But the ability to take clandestine proceeds from cybercrime, especially ransomware, and be able to transfer that into actual currency, that makes it an easily more profitable industry.”
Winger says Cincinnati State did the right thing by reporting its cybersecurity incident to the FBI. He says so many others don't because it's embarrassing to admit you've been hacked.