DALLAS (CBSDFW.COM) – A rising number of cyberattacks on Texas schools is exposing a troubling vulnerability.
A CBS 11 I-Team investigation found in the past two years at least 67 school districts in Texas have suffered a cybersecurity breach.
The incidents range from teachers accidentally emailing student personal information out to the whole class to overseas ransomware attacks that paralyses an entire district’s computer system.
Last fall, Arlington ISD officials said a hacker used a substitute teacher’s credentials for the library system to access the personal information of more than 2,000 students. Names, dates of birth, and addresses were all taken.
The hacker turned out to be a student.
“If it’s happening from a mischief related thing, I suppose that makes us feel a little better,” said Eric Upchurch, the district’s superintendent of technology. “This was not a situation where there was a large gap in our system that countries could exploit.”
But that’s not the case for many schools.
A growing number of attacks on Texas schools are coming from outside the country.
The CBS 11 I-Team identified 27 school districts that have been hit with ransomware in the past two years.
These attacks often use social engineering to get an employee to inadvertently launch malicious software that locks up computers until a demanded payment is made.
One district shared with the I-Team the demand message that appeared on the school district’s computers.
It read “All your files have been encrypted!… You have to pay for the decryption in bitcoins. The price depends on how fast you write us.”
Two years ago, Paris ISD was hit with a ransomware attack believed to have come from Russia.
That same day its neighboring school district, North Lamar ISD, was also hit by an overseas cyberattack.
A couple of weeks later, Rockwall ISD along with other Texas districts were hit.
Paris ISD’s technology director said his district was lucky as his team was able to disconnect their computers before the attack reached all of their backup systems.
“Every server that we had was affected,” Dale Loughmiller said. “We were fortunate that we had multiple copies of our backups.”
Not every district has been so fortunate. Many attacks encrypted backup systems, while other districts did not have an adequate backup to restore from.
A CBS 11 I-Team investigation also found there are likely far more of these attacks on schools than go reported.
Mesquite ISD and Fort Worth ISD did not report their recent ransomware attacks to the Texas Education Agency.
According to Texas law, school are not required to report cyberattacks to the state agency as long of there was no evidence that student personal information was stolen during the attack.
In fact, school districts are not required to tell anyone if that is the case.
Cybersecurity expert Ben Singleton said the lack of transparency and reporting of cyberattacks is making the problem worse.
“If you don’t disclose that information, we don’t know about the attacks and we in the cybersecurity industry rely on these attacks to discover how they’re breaking into these networks,” said Singleton, co-founder of the Arlington cybersecurity firm netGenius. “We need to know what tools they’re using so that we can properly defend against.”
Singleton said cybercriminals like to target school computer systems because they house thousands of valuable child identities.
On the dark web, a child’s identity is often worth more than an adult’s.
Cybercriminals can use a child’s Social Security number to create a whole new identity and it often goes undetected for years.
Cybercriminals also target school computer systems because many are easy to hack.
“They’re looking to exploit the failure of these districts to defend their network,” Singleton said. “So, a school district that doesn’t have adequate cyber defenses in place becomes a target.”
However, experts say the biggest reason schools have become a popular target for ransomware attacks is because schools pay.
When Port Neches-Grove ISD was hit with a ransomware attack in 2019, the district paid the attacker $35,000 in bitcoin.
Sheldon ISD in the Houston area paid more than $207,000 in ransom after an attack last year.
This summer, Judson ISD officials said they had no choice but to pay more $547,000 in ransom or risk having sensitive information published.
Schools districts are often put in a difficult situation with hackers threatening to publish personal information of students, such as names, addresses, and Social Security numbers.
Meanwhile, Lancaster ISD, along with other school districts, have declined to say if the district paid a ransom after a recent cyberattack.
“Once you show the world that you’re a soft target who’s willing to pay, more schools are going to get hit because of it,” Singleton warned.
Even when schools do not pay a ransom, these attacks are often costly.
According to school board records, Fort Worth ISD paid an IT company $94,400 last year to help the district recover from a ransomware attack.
Athens ISD had to delay the start of the school year last year for a week while the district worked to get its system back up and running after an attack.
Singleton said until school districts invest in cybersecurity, the attacks will continue.
The Center of Internet Safety that monitors emerging threats is projecting a 86% increase this year on cyberattacks on schools.
“I think there’s a false sense of security,” Singleton said. “I think that administrators don’t fully understand how this all works and they may be getting some bad advice from their network administrator telling them they’re okay.”