Press play to listen to this article
Cybercriminals, like anxious parents, are also waiting for schools to reopen.
As children prepare for the new academic year, schools are following hospitals, energy firms and food makers as the next prime target for gangs of hackers.
Gangs using ransomware — often operating from Russia — target low-tech sectors like health care, utilities and manufacturing services, which increasingly rely on digital tools but often lag in investing in cybersecurity to protect their systems. It makes for low-effort, high-reward targets for ransomware criminals.
“The ransomware campaigns that we are seeing now are only going to continue … Schools, whether they be private or government-run institutions, will often find themselves in the cross hairs of the attackers simply because they have proven to be easy targets in the past,” said Rob Krug, security engineer at Czech cybersecurity company Avast.
Just this month, the Dutch group ROC Mondriaan, which runs 26 high schools in The Hague and nearby cities for more than 25,000 students, announced a hack of its systems just days before reopening. It was left scrambling to secure and reboot its systems, while parents and students complained they lacked information on when and where to show up.
“It’s massive chaos. Telephone lines are down, email is too. We don’t have schedules and we can’t reach anyone,” said Patricia Korendijk, whose son Björn attends one of the schools hit in the hack.
“It’s back to basics using pen and paper,” the principal of one ROC Mondriaan school in The Hague told local news on Monday. The group did not respond to POLITICO’s request for comment.
The Dutch hack is not exceptional. A report published in July by cybersecurity company Sophos showed 44 percent of almost 500 education organizations surveyed across the world were hit by a ransomware attack last year. Among those hit, a third paid ransom to get their data back.
Another cybersecurity firm, Proofpoint, said its recent data showed 70 percent of surveyed cybersecurity officials from the European education sector feel at risk of suffering a “material cyberattack” in the next 12 months, with ransomware among the expected threats.
Cybercriminals have used ransomware to conduct audacious attacks on critical infrastructure and government systems. This year, the U.S. gas pipeline operator Colonial and Ireland’s national health care service were hit, disrupting fuel supplies and vaccine appointments.
With many schools focusing on mitigating the coronavirus pandemic and bringing back schoolchildren safely, Jake Moore, a cybersecurity specialist at Slovak cybersecurity company ESET, warned that “the initial weeks of the school year are when the education sector is at its most vulnerable.” Schools “are in new year mode,” he said, and “may become more vulnerable and take their eye off the ball.”
Hackers often bet on hitting schools during busy periods, when they are more likely to pay the ransom to avoid hassle.
“The success of a ransomware operation hinges on a hacker’s ability to obtain maximum leverage. This is because the more harm and disruption a threat actor can impose on a victim, the more likely they are to pay an extortion fee,” said Jamie Collier, consultant at threat intelligence firm Mandiant.
Last year, the U.K.’s National Cyber Security Centre (NCSC) flagged a similar peak in ransomware attacks in August and September. U.K. authorities also reported sporadic attacks this summer, including several on the Isle of Wight that forced a school to postpone its September reopening. The U.S. already kicked off a campaign in August to warn schools to prepare for attacks.
Schools also handle sensitive data like students’ evaluations and personal information like addresses, telephone numbers, health conditions and family information. This increases the pressure on school administrators to pay the ransom or see the data disappear — or worse, leaked online.
The cost of restoring IT systems in the education sector is also higher than in other sectors like banking and technology, the report by Sophos said, estimating the average bill of rectifying a ransomware attack at $2.7 million.
The impact of the coronavirus pandemic exacerbates the threat, experts said.
“The cold hard truth is that school systems and education providers are generally far less equipped to be able to provide meaningful security to prevent these attacks. This has been further complicated by the past 18 months of the global pandemic forcing school administrators to make the networks even more accessible for remote learning,” said Avast’s Krug.
Last year, the ROC Mondriaan pivoted to tutoring online due to the pandemic, moving all syllabi and schedules online, but all that is now unavailable, said Korendijk, the mother. Even as Europe ends its lockdowns, she said: “Nothing is happening. My son is stuck at home.”
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.