Kids at Risk, Parents in The Dark – CBS Sacramento | #malware | #ransomware


SACRAMENTO (CBS13) — Cybercriminals are targeting schools at an alarming rate and putting kids at risk of identity theft – and their parents may never know. CBS13 has uncovered alarming school cyber attack statistics and a lack of school policies for tracking and reporting these attacks.

  • Schools are not required to report cyber-attacks to any governing body.
  • In most cases – parents don’t even have the right to know that their kid’s school has been attacked.
  • CBS 13 asked more than 50 local districts about their cyber security policies and only district confirmed that it actually had one.
  • Meanwhile, CBS 13 reviewed more than 120 recent school cyber incidents in California at K-12 schools, including more than a dozen ransomware attacks. At least one was never reported publicly or to parents.

From high schoolers fresh off distance learning, to “Mr. Code’s Wild Ride” coding classes, most kids realize the repercussions of a cyber attack—but it turns out that their schools may not.

READ MORE: Yuba City High School Students Arrested For Carrying Firearm On Campus

According to a recent IBM survey, roughly half of educators and administrators said they were “not concerned” about cyber attacks

When CBS13 asked local school districts about their policies for tracking and reporting breaches, only one out of 50 school districts confirmed that it actually had a policy.

It’s very difficult to make progress on this issue when we’re kept in the dark. Parents can’t protect their children and policymakers don’t know that there is a need to take action to protect their communities.”

Two school districts said they were in the process of developing a cyber-attack reporting policy, and several said they needed additional time to respond, which is allowed under California’s Public Records Act. However, the vast majority of school districts did not respond at all to CBS13’s request.

Meanwhile, CBS13 has identified more than a hundred publicly reported cybersecurity incidents at California K-12 schools, including nearly a dozen recent ransomware attacks—a type of malicious software that locks up computers and files until a ransom is paid.

We confirmed at least one ransomware attack in a Placer County school district was never reported publicly or to parents.

Cyber security analysts tracked more than 1,600 ransomware attacks on school districts nationwide last year alone.

And there are increasing reports that student information, from hundreds of these breaches, is now available on the dark web, where kids’ information sells for a premium because their clean credit histories make them ideal targets for identity thieves.

Most won’t discover they’ve been victimized for years.

This Toledo incident was referenced in a letter, from Senator Blackburn to the Department of Education, calling for accountability and data on the number of kids impacted.

“These incidents are happening much more frequently than many people understand,” said Doug Levin, the director of the non-profit K-12 Security Information Exchange, which helps protect schools from cyber threats.

His group tracks publicly reported cyber-attacks but he says most schools never report them.

It’s very difficult to make progress on this issue when we’re kept in the dark,” Levin said. “Parents can’t protect their children and policymakers don’t know that there is a need to take action to protect their communities.”

California tops the FBI’s internet crime report for total victims and money lost, and Levin says California is among the top three states for school cyber-attacks.

Yet, the California Department of Education tells us, “There is no requirement for schools to report ransomware attacks  to either state or federal entities.”

“Cybersecurity practices for school districts are largely unregulated right now across the US,” Levin said.

The California Department of Education (CDE) told CBS13 that schools may “self-report” to private entities. CDE provided a link to Levin’s nonprofit and data breaches in its response to CBS13. However, Levin says he is not aware of any schools that have ever self-reported.

READ MORE: Student-Run Bank At Cordova High Aims To Improve Teens’ Financial Literacy

The CDE also told CBS13 that it is not aware of any school districts in California that have paid a ransom.

“There have been public reports of California school districts who have paid,” Levin pointed out, “which [means] obviously they’re not tracking either.”

In fact, Levin notes that there is no consistent standard for who should be notified of school breaches, and it appears that even state regulators are confused.

CDE did point CBS13 to this federal law, which they initially said required that parents and students be notified if a student’s information is disclosed. But the feds say that’s simply not true—the law does not require schools to notify students of compromised information.

Several districts told CBS13 that they would, in some cases, notify families under the California Data Security Breach Notification Law—which applies to California businesses and agencies.

But other districts seemed unaware of the state law, or said it wouldn’t necessarily apply to ransomware attacks without evidence hackers actually “acquired” specific personal information.

“Really what they’re saying is we don’t have evidence that student data was stolen,” Levin said.

But he stressed that schools should assume private information was compromised after any ransomware attack because hackers often have access to school servers for days or weeks before they activate ransomware.

“I mean, at that point, the damage has been done,” Levin said.

The California Data Security Breach Notification Law, which does not specifically reference schools, only requires reporting of specific types of information that was knowingly “acquired by an unauthorized person.”

Under the law, agencies are also supposed to report breaches impacting more than 500 people to the California attorney general. However, California Attorney General Rob Bonta’s office did not respond to repeated requests for information about requirements under the law or whether any school incidents have ever been reported to his agency.

One local district—which had two recent unreported attacks—said it only reports cyber attacks to its insurance company. The district added it would only notify students and families based on advice from that insurer.

“The insurance companies should not be the ones making that determination,” Levin said. “These are public institutions using taxpayer money to provide valuable services to a sensitive population. Our children.”

In Texas, schools must report stolen student information to the state education agency. A bill in Illinois would require schools to report any cyber breach to the department of education there. And this federal bill would commission a study on cyber security risks facing schools.

But so far, nothing requires California schools to track or report the increasing cyber-attacks.

The Center of Internet Safety, which monitors emerging threats, is projecting a 86% increase this year in cyberattacks on schools.

Experts recommend placing a credit freeze on your child’s social security number with all three credit monitoring services, Experian, Equifax and TransUnion. A child credit freeze can help prevent hackers from using their information to open credit cards or take out loans in their name.

MORE NEWS: Damage From DUI Suspect Puts Historic Coloma Bridge Out Of Commission

The law enabling child credit freezes in California was prompted by previous CBS13 investigations.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − = four