The attack affected the more than 35,000 district students and staff and resulted in a breach of data for 6,700 people. The district also confirmed that no ransom “has or will be paid in response to this attack based on the advice of our cybersecurity experts and what is in the best interest of the school district and community,” according to the district website.
None of those individuals whose data was breached was notified of the attack until this week, according to a press release. “Waiting for over five months to notify individuals that their data might have been exposed will not win you a ‘rapid response contest’ anytime soon,” said Stephen Gates, principal security SME with cybersecurity firm Horizon3.ai, in a statement shared with Emergency Management.
“We as an industry must do better in alerting those potentially impacted so they can take some sort of defensive action sooner rather than later,” Gates said. “School systems are often easy pickings for attackers. Their IT staff, who are usually responsible for security, tend to be overworked and underpaid, and the security technologies at their fingertips are not always the best and the latest.”
The breach was the third to occur in an Iowa school district in the last year; 37 K-12 school districts in the United States have been hit since the start of the year. There were a total of 89 ransomware attacks on the education sector in 2022.
The numbers show that virtually no component of the public sector is safe from attacks, giving emergency managers another growing scenario to wrap their arms around.
Des Moines Public Schools said it took immediate action to improve the security of its data systems and improved security measures and that additional technical safeguards are being implemented to prevent future attacks.
