Cyberattacks targeting K-12 schools hit record levels in 2020

K-12 cybersecurity incidents have steadily climbed in recent years, but 2020 was especially bad in terms of both the quantity and severity of attacks, according to a study published Wednesday by organizations that have closely tracked such incidents since 2017.

Although the first quarter of 2020 started on a similar trajectory to the year prior, attacks grew when the coronavirus outbreak hit the U.S. and ballooned to record levels later in the year. There were 160 disclosed K-12 cyber incidents in the third quarter of 2020, when schools adopted new learning platforms and deployed thousands of new devices to students and educators, compared to just 49 incidents in the first quarter of the year, according to the study, which was produced by the K12 Security Information Exchange (K12 SIX) and the K-12 Cybersecurity Resource Center. The organizations tracked a total of 408 reported cybersecurity incidents against K-12 schools in 2020, though the number of unreported attacks is likely significantly higher.

But in addition to an increase in the number of incidents, 2020 also brought the introduction of more serious attacks, including a new type of incident that the report calls “class invasion”—when unauthorized individuals disrupt online classes, often with hate speech, shocking images, or threats of violence. 

“During 2020 for the first time we saw examples of data exfiltration leading to identity theft happening alongside ransomware incidents. We’ve seen increasingly large extortion demands from actors—in some cases $1 million or more,” said Doug Levin, the national director of K12 SIX. “Schools that experienced a ransomware incident also were more likely to close schools completely, often for a week or more.”

Levin, speaking at a conference dedicated to the issue on Wednesday, said there were a few steps that schools and government officials could take to help curb the rising trend of cyberattacks on schools. First, schools must invest in greater IT security capacity, which includes both money and personnel. Schools also must develop better contingency plans for dealing with cybersecurity incidents, and vet the security practices of the vendors they work with. Levin also called on the creation of federal and state school cybersecurity regulations and laws—which got some support by at least one speaker. 

Rep. Jim Langevin (D., R.I.), a founder of the Congressional Cybersecurity Caucus who serves of the Cyberspace Solarium Commission, said at the event that he plans to reintroduce a bill that calls on the Cybersecurity and Infrastructure Security Agency to establish an information sharing operation for K-12 education and provides grants to bolster the cybersecurity workforce at the K-12 level, among other things.

“Cybercriminals have no honor and no reluctance to attack our schools… every year, dozens of schools are attacked by ransomware,” said Langevin, who added that a district in his own state experienced a ransomware attack in 2019 that took about six weeks to resolve and caused hundreds of thousands of dollars in losses.

Other notable findings from the report included:

• Data breaches are the single largest category of cybersecurity incidents that K-12 schools face, followed by ransomware, denial-of-service attacks, and phishing incidents.
• Wealthier, larger, and suburban school districts were more likely to have a reported breach. “We could go down a rabbit hole as to why this may be,” Levin said. “But school districts with more technology might be more likely to experience an incident”
• At least 75% of all data breach incidents affecting U.S. public K-12 school districts were the result of security incidents involving vendors.
• Schools for the first time were targeted by ransomware actors who also exfiltrated sensitive data. The personal information of at least 560,000 current students and 56,000 current staff were exposed in these incidents.