Those emails were quickly pulled from user inboxes, according to the district's technology services director, Brian Schaffeld, though not before some in the school community clicked links to fraudulent Google forms and entered personal information.
While Schaffeld emailed parents that there was no breach in sensitive student or staff information managed by the district, the incident served as a strong reminder of the increasing threats cyber criminals pose to schools, and the damage they can inflict on a district's day-to-day operations.
It also highlights the efforts districts are taking to safeguard sensitive information.
So, how are the biggest school districts in the mid- Willamette Valley keeping student data safe?
GROWING THREATS
The phishing attack at the Corvallis School District happened on Feb. 27, after two staff email accounts were compromised, triggering a batch of bogus emails to approximately 4,200 addresses belonging to staff and students, according to Schaffeld.The district notified parents in its own email about the incident the following day.
Fewer than 5% of students and 1% of staff clicked on the link contained in the phishing emails before all were pulled, Schaffeld said in a statement.
Phishing, or the gathering of personal information through deceptive emails or websites, is a key cyber threat on districts' radar, and for good reason.
Cyber attacks have risen over the past few years, and K-12 school districts have become an increasingly desirable target, according to a 2023 report from the federal Cybersecurity and Infrastructure Security Agency.
The attraction grew during the pandemic, when schools shifted toward remote learning, providing laptops and iPads for students and adopting more networking technologies, which opened schools to more vulnerabilities, according to the report.
Many of those technological changes remain even as COVID-19 has receded as a public health emergency.
Between 2018 and 2021, the number of publicly disclosed cyber attacks against districts, including phishing and ransomware incidents, rose from 400 in a year to 1,300-plus, according to the report.
TRAINING AND SUPPORT
In an email to Mid-Valley Media, Schaffeld said the Corvallis School District has worked for the past three years to shore up its security for its website, emails, and student and business information systems, including through employee training.
According to Greater Albany Public Schools' newest technology director, Kathi Etchemendy, the biggest security feature a district can employ is a well-trained staff.
Often the easiest way to breach security is not through technical know-how but through social engineering, Etchemendy said. That's a reference to deceptive practices employed by scammers to get passwords and other sensitive information, such as pretending to be a colleague in an email.
"There isn't a single person in the world who hasn't fallen prey to a phishing email," she said. "And if they think they haven't, they just didn't know about it."
Along with mandatory cybersecurity training for staff, Etchemendy said GAPS works to strengthen its employees' skepticism muscles by sending out fake phishing campaigns to test their readiness.
The Lebanon Community School District tests employees similarly, according to the district Technology Infrastructure Director Peter Klingler and Support Services Director Alisha Port. District staff are also required to do two cybersecurity training sessions at the start of each year.
Lebanon, GAPS, Corvallis, and other districts get cybersecurity assistance from the Linn Benton Lincoln Education Service District, which is kind of like a super district that provides services to schools in its namesake counties.
A big development this school year for the districts under the ESD's umbrella was a shift to a new student data management system called Synergy.
Beyond sensitive academic data, that system includes student demographics, addresses and contact information, according to Klingler and Port. It also requires multifactor authentication to access.
One big concern for all school districts is ransomware attacks, when cyber criminals employ malicious software to block access to critical data until they're paid huge sums.
That kind of an attack can not only threaten student data but disrupt a district's operations for multiple days.
"For an IT guy, that's always running in the back of your head," Klingler said.
The Linn Benton Education Service District helps schools stay insured against cyber incidents by making sure they're meeting current security requirements.
Lebanon, GAPS and Corvallis are insured through PACE, or Property and Casualty Coverage for Education, which provides coverage for most Oregon school districts.
According to Schaffeld, requirements this year include committing to deploy endpoint protection software — programs that watch for unusual behavior on devices and systems — and additional cybersecurity training for employees.
For Etchemendy, other key resources for districts in the region are their neighboring districts, whether that means sending over hardware or personnel to help when issues occur.
"It's a really collaborative environment," she said. "When one district goes down, we will be there to help each other," she said.
©2024 Corvallis Gazette-Times, Distributed by Tribune Content Agency, LLC.
