DALLAS — As schools begin to gear up for another semester online, parents in the Dallas Independent School District are worried about cybersecurity and the possibility of their kids’ and teachers’ information falling into the wrong hands.
Experts in online security say parents and teachers have good reason to be worried: Texas school districts have had at least 126 reported incidents of hacking, phishing schemes, and ransomware attacks since 2016, more than any other state according to the K-12 Cybersecurity Resource Center.
And that’s just the reported incidents, said Doug Levin, the president and founder of the K-12 Cybersecurity Resource Center and EdTech consulting, which tracks cyberattacks on school districts.
Texas school districts as well as school districts nationwide are being targeted in a growing number of cyberattacks, particularly now as schools are relying more than ever on technology. The coronavirus pandemic has only increased those risks as more classrooms have gone virtual.
In 2019, there were 348 publicly disclosed cyberattacks on school districts across the country. That was three times the number of incidents in 2018, according to Levin’s tracking.
In May, a Dallas magnet school was the victim of a Zoom meeting “bomb,” in which an unauthorized user got into the meeting and posted pornographic images while students, parents, and teachers from the Yvonne A. Ewell Townville Center in East Oak Cliff were using the video conferencing platform to plan upcoming graduation events.
Zoom bombing, while distributing, is only a fraction of the damage hackers have done to Texas school districts.
Last year, the Manor Independent School District outside of Austin announced it was attacked by an email phishing scam that netted a loss of $2.3 million in taxpayer money. The district said in February that it hoped to recover about $800,000.
San Felipe-Del Rio Consolidated Independent School District near the Mexican border said in February that several payments sent electronically to its bank to pay off bond debt had been rerouted into a hacker’s account.
Since 2016, hackers have bilked the state’s school districts out of more than $7 million in taxpayer money, according to the K-12 Cybersecurity Resource Center’s research.
It’s not just money that is at stake. There is a specific challenge for public institutions like school systems in that their employee directories are often online or publicly available. Hackers and online scammers have started to take advantage of that.
More than 116,000 Texas educators and 180,000 Texas K-12 students have been the victim of data breaches since 2016, Levin estimates.
The state’s high number of cyberattacks in schools inspired the Texas legislature last year to pass two laws aimed at mitigating the problem in school districts and local government systems. The first law requires school districts by Sept. 1, 2019, to designate a “cybersecurity coordinator” responsible for reporting all incidents. The districts are required also to adopt a cybersecurity framework to identify the risks to its systems and to develop a plan to mitigate those risks.
Another law adopted in June 2019 requires state and local government employees as well as state contractors to complete a cybersecurity training program certified by the Department of Information Resources. This law came just months before the department reported a coordinated ransomware attack that affected 22 rural Texas municipalities.
The laws are a good step toward cybersecurity, but challenges still exist in school districts, Levin said.
“Because most school systems have relatively immature cybersecurity systems in place, they aren’t in a great position to know right away if they have been attacked,” he said.
Cybersecurity in schools is rarely prioritized in school districts, not because school officials aren’t concerned or aware of potential problems, but because of staffing, economic constraints.
In the private sector, a business might have one support staff for every 200 to 300 users, while in the education sector, it’s typically one support staff for every 1,000 to 1,200 users, Levin said.
School IT specialists are usually focused on keeping a wide variety of users, from students to teachers to administrators, connected online and their equipment working properly and not specifically cybersecurity.
Rigorous cybersecurity measures such as logins that require two-factor authentication slow down the process of getting online, particularly for school-aged users.
This makes the recent Texas law requiring a cybersecurity plan particularly important.
The Dallas ISD said in a statement that it takes seriously its responsibility to protect confidential student information.
“The Information Technology department has adopted rigorous cybersecurity control standards for securing confidential information, including firewalls, data encryption, access controls, multi-factor authentication, and more. Additionally, the District employs a team of trained cybersecurity professionals to manage security operations and investigate cybersecurity events. While no system is completely foolproof, parents may take some comfort in knowing that online instruction is safe,” the emailed statement said.
The school district now requires all Zoom conferences to require a password to access as part of protocols put in place last spring.
While many parents who have expressed concerns about cybersecurity are familiar with Zoom bombing, parents do have other issues to worry about as well as steps they can take to protect their child’s information.
Criminals have used a child’s identity to open credit lines, even if the child is a minor. Parents can prevent this by freezing their child’s account on credit monitoring services like Equifax.
Another worry is that personal records for students are kept online, which could including records on bullying, immigration status, family or medical issues, gender issues, or other private information. Hackers can use such personal information maliciously.