School districts in Maine, Tennessee respond to holiday cyberattacks

At least two U.S. school districts suffered from cyberattacks over the Christmas and New Years holidays, continuing an annual trend of hackers targeting K-12 schools and colleges during periods when IT staffing is at its lowest.

South Portland Public Schools in Maine said it was forced to take its network down on Sunday after a cyberattack was discovered over the weekend. 

Andrew Wallace, director of technology at the South Portland School Department, sent a letter to parents on Monday explaining that officials took the network down in an effort to protect student data and other information that was at risk. 

Wallace told Recorded Future News that the attack was initially discovered through a network detection system from local vendor Blue Spruce — which the school district purchased through a grant offered by the Maine Department of Education. 

“On Sunday that same service detected suspicious activity and discovered that our firewall had been compromised. Fortunately we were able to disconnect the equipment from our network and turn off the Internet as we investigated,” Wallace said.

“We believe, based on the IP address, that it was originating from Bulgaria. After having our vendor partners analyze the access logs and activities on the network, we believe that no student data or staff was compromised — but it certainly was disruptive and stressful.” 

Wallace added that the school district is “cautiously optimistic that the remedies put in place over the past twelve hours have addressed the problem” but said they will continue to scan their networks and equipment for any unexpected behavior. 

Because the attack took place over the weekend, Wallace said his team was able to get systems back online before school began on Monday. The school district has cybersecurity companies on site on Monday morning as well as IT officials from the City of South Portland to assist with the recovery effort. 

The school district serves about 3,000 students and has nearly 600 employees. 

The attack was announced days after officials in Rutherford County, Tennessee, confirmed that they had also been hit with a cyberattack. 

Rutherford County Schools — which serves more than 51,000 students — said on December 27 that it had been dealing with a “network and systems disruption” since November 25.

The Thanksgiving cyberattack prompted an investigation requiring third-party cybersecurity experts — who revealed that “some employee personal information” was stolen during the attack, the district said.

“We do not believe it includes all of our employees, but we are conducting a thorough investigation. In addition, some student information was subject to unauthorized acquisition,” said Jimmy Sullivan, director of schools at Rutherford County Schools.

“The investigation will include a thorough review of the data that was potentially impacted. Once our review is complete, we will notify affected individuals in accordance with applicable laws.”

Neither attack has been claimed by a hacking group but several school districts across the U.S. were listed on ransomware leak sites between the Thanksgiving, Christmas and New Years holidays.

Seasonal headaches 

Dozens of K-12 schools were attacked by ransomware gangs one year ago — with several being forced to cancel school days. 

In 2024, the White House announced an array of federal and private industry initiatives to strengthen the digital defenses of K-12 schools that included cybersecurity guides, a $200 million pilot program from the Federal Communications Commission (FCC), cybersecurity trainings from federal agencies as well as millions in grants from companies like Amazon, Google and Cloudflare.

“For some time educators have been sounding the alarm that schools are increasingly a prime target for cyberattacks. They are happening in school districts in big cities and small towns, in Georgia, Illinois, Pennsylvania and many more places in between,” FCC Chairwoman Jessica Rosenworcel said during a September speech to the State School Boards Association. 

“In fact, according to your white paper on this topic, the number of disclosed cyber incidents at schools is now 400 a year and growing. Recovery times range from two to nine months. And the losses can run into the millions — on top of the loss of learning for students.”