Hackers had locked Sheldon ISD officials out of some of its most crucial software servers, encrypting data that helped keep the district’s business operations running. Employees’ bank account information, salary data, email communications, systems that enabled key fobs to open doors to campuses, even security camera systems were compromised.
Trustees in the 10,000-student school district in northwest Houston were forced into a choice: Pay the hackers a ransom of as much as $350,000 to obtain a digital key to unlock their hijacked systems, or spend the next five to six months rebuilding the affected servers from scratch.
“Obviously, I certainly would prefer not to pay the ransom in order to send a pretty strong message that we’re not going to do it,” Superintendent King Davis said in a March 19 emergency board meeting. “But the reality is, in order for us to be functional, I just don’t know how reasonable that is.”
At least five other Texas school districts were pushed to make similar decisions by mid-March of this year, according to the Texas Association of School Boards, the same number that were subject to so-called “ransomware” attacks in all of 2019. Fort Worth ISD officials said they would refuse to pay a ransom to hackers in early March, and Superintendent Kent Scribner said the district was able to isolate and stop the spread of the computer virus. Nacodogches ISD spent several days offline due to an attack in February, and Athens ISD in East Texas paid about $50,000 to hackers after its servers were affected.
Similar attacks are happening to school systems across the nation. The personal information of some students and staff in the Las Vegas area was leaked online in late September by hackers after the Clark County School District refused to pay a ransom, according to the Wall Street Journal, which also was the first to report the Sheldon ISD incident. The Newhall School District in Southern California was affected in mid-September and Hartford, Conn., schools were forced to postpone school reopenings due to an attack there.
Law enforcement officials tell districts and other victims of ransomware hacks to avoid paying, said Doug Levin, founder of the K-12 Cybersecurity Resource Center. The rationale is that since the hackers are criminals the money they receive could be spent for other nefarious purposes, and, secondly, paying them encourages them to keep hacking others.
There has been a steep rise in the number of ransomware attacks and hackers targeting school systems across the country since the fall of 2019, Doug Levin said. In 2019, the group logged 348 publicly disclosed incidents of hackers infiltrating school districts’ computer systems, three times as many as the previous year. While there are three months left in 2020, Levin said it could be “record-breakingly bad” if incidents continue at their current pace. In recent years, Texas has led the nation in publicly disclosed school district hackings, according to the resource center.
Levin said the reason for the increase may be two-fold.
“One is that the tech systems that local government agencies like school districts run tend to be older, and they may be more vulnerable,” he said. “And they offer essential services, and so there’s not a lot of sympathy when those IT systems are down. People know about it, they’re upset about it — it affects their lives.”
That creates more pressure on local government agencies and school districts to pay ransoms, especially now that so many students are learning online. On campus, Levin said, teaching and learning could continue even if a district’s servers were down. With online learning, all progress would come to a halt.
While school closings due to COVID-19 have highlighted districts’ online platforms, Marcy Barker, a liability claims manager with TASB’s Risk Management Fund, said having people away from school buildings may have spared others a similar fate. She said hackers sometimes gain access to schools’ servers by parking near a campus and accessing the district’s wifi.
“That might be the good thing with COVID,” Barker said. “They might disable their remote access, it just depends on their protocols.”
She said hackers also can gain access through phishing, or sending malicious links to school district email addresses, but she has not encountered many of those cases.
Texas also has been more aggressive than some other states in creating measures aimed at stopping similar attacks. The Texas Legislature in 2019 passed a law requiring school districts to designate a cybersecurity coordinator, create a cybersecurity plan and report any hacking incidents to the Texas Education Agency.
Fort Worth ISD went a step beyond those new requirements after hackers infiltrated parts of its IT system. In September, the board of trustees unanimously approved a $242,750 contract with cybersecurity firm MaeTech to strengthen several areas of its technological infrastructure by December. According to the Fort Worth Star-Telegram, they district had already paid that firm about $94,000 to recover and recreate parts of its IT infrastructure after the ransomware attack in March.
The district also created a yet-to-be-filled chief information officer position to oversee the upgraded systems, according to a recent agenda packet.
Sheldon ISD ultimately paid the hackers $206,931 in March, and their insurance through TASB’s Risk Management Fund spent $100,000 to pay third-party negotiators, a forensic group to figure out what happened and vendors to come in and remediate residual damage. Barker, with the fund, said more districts are increasing their insurance in case they, too, suffer a cyberattack.
Derik Moore, a spokesman for Sheldon ISD, said the district was able to get its system back up and functional within a few days of paying the ransom, but it took weeks to resolve some lingering issues. They’ve increased staff training on cybersecurity issues and have increased the number of phishing simulations they do, which allows them to see how many staff members fall victim to potentially malicious email links. Still, he worries other districts remain targets.
Through postmortem investigations, officials found the hackers had the ability to access and download some documents that included student and staff members’ names and general information including test scores and demographic data. District officials notified those whose information may have been accessed in June and posted a general notice of the attacks on campus websites in July. Law enforcement was notified, but no arrests have been made.
“The hackers just want their money, but we rely heavily on this technology,” Moore said. “You’re dealing with thieves. You can’t trust them at all.”
©2020 the Houston Chronicle, Distributed by Tribune Content Agency, LLC.