When the Concord School District experienced a cybersecurity attack in 2016, Pamela McLeod was the director of technology. The aftermath, she recalled, was crushing.
The infiltrators swept up the W-2 wage and tax forms for all of the district’s employees, which included their names, addresses, and Social Security numbers. The targets were forced to move quickly, check their accounts, and initiate credit monitoring. And the attack wasn’t limited to adults; student refugees, who were working as custodial staff in the summer, were also swept up, McLeod said.
“It’s just devastating,” she said. “And it really takes all of the district’s time and resources to handle an attack like that, for a period of two to four weeks.”
Seven years later, McLeod is the founder of the New Hampshire Student Privacy Alliance and the New Hampshire Chief Technology Officers Council. And the cybersecurity threats to New Hampshire schools have only grown.
From 2016 to 2022, 1,619 schools across the U.S. have reported being the target of security breaches, which can often involve stealing personal information and holding it hostage for ransom, according to the K12 Security Information eXchange, a research nonprofit. Most recently, the Nashua School District reported a “sophisticated attack” in late April; an investigation involving federal law enforcement is still ongoing.
At a panel Monday at Saint Anselm College organized by Sen. Maggie Hassan, state officials, private sector security experts, and former school administrators came to agreement on one clear point: K-12 schools are vulnerable targets. And unless school districts take proactive measures, attempts to take advantage of them will likely increase.
The consequences can be dire: Beyond staff and parent information, the Social Security information of students can be held and used to take out fraudulent loans once they are adults, years after the actual breach.
“It’s hard to understate how great a threat and a risk there is for schools,” said Daniel King, New England chief of cybersecurity for the U.S. Cybersecurity and Infrastructure Security Agency.
In Nashua, the school district has not provided many details on the nature and scope of its breach. On June 18, two months after the breach, Superintendent Mario Andrade sent an email to parents and staff members that said district officials had made significant improvements to the security systems that were breached, and were “unaware of any actual or attempted misuse of any personal information because of the cyberattack.” But the email added that an investigation was continuing, and that the school district recommended parents and staff members “remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanations of benefits and monitoring free credit reports for suspicious activity.”
“If it is determined through our investigation that sensitive information stored on our systems was impacted, we will notify affected parties directly,” stated the email, which was provided to the Bulletin by the district.
Today, state and federal officials are working to ramp up financial and technical support for schools to better prepare themselves against future attacks.
In 2018, the New Hampshire Legislature passed a bill, House Bill 1612, that required each school district to develop a data and privacy governance plan that includes an accounting of the software the district uses; specific policies for data protection and privacy, and a response plan in case of a data breach. Those plans must be updated annually.
In 2021, Congress passed a $1 trillion infrastructure bill that included a measure co-sponsored by Hassan to devote $1 billion toward cybersecurity programs over four years, 80 percent of which must be passed on to local governments and school districts. New Hampshire’s Department of Information Technology is currently helping distribute that, Commissioner Dennis Goulet told the panel Monday.
Meanwhile, New England officials with the U.S. Cybersecurity and Infrastructure Security Agency are talking to school districts in the state to guide them on best practices and give tailored advice on where they should invest in security upgrades.
Officials are focusing on a range of tools, from encouraging the requirement of multi-factor authentication every time a staff person logs in, to improving the way sensitive information is compartmentalized to be harder to access, to training employees how to spot and avoid phishing scams. Some of the measures districts can take are not expensive and simply require new procedures. And the investment trade-off can be significant: A major breach can cost a district millions of dollars to repair, even if the ransom is not paid.
But in some cases, budgets are a limiting factor. Many districts struggle to hire or retain sufficient information technology staff, when private sector jobs in that profession can offer much better benefits. And some companies like Google and Microsoft put their most secure features behind a paywall, adding budgetary strain, McLeod noted.
While the evidence suggests that cyberattacks are increasing, the full extent of their use is hard to pinpoint. Many victims – both individuals and large organizations – do not report the breaches publicly. Often, those organizations or local governments are advised by private law firms and insurance companies, who may encourage silence or cooperation with the cyberattackers.
Those failures to report complicate the ability to properly respond, officials said Monday. When organizations report attacks, other government entities, like school districts, can take measures to safeguard against similar attacks. A week after Nashua was breached, a school district in the Upper Valley region of New Hampshire was also attacked, said Timothy Benitez, the Manchester resident agent in charge of the United States Secret Service, who declined to identify the district.
“It does happen in waves,” he said during the panel discussion. “…It’s important to cooperate and coordinate and don’t be afraid to share this information. It’s really a defense.”
And because attackers often focus on multiple victims, law enforcement can use each individual breach to build a bigger case and prevent future infiltrations.
Often, the U.S. Secret Service – which has a lesser-known branch dedicated to investigating cyber crime – can use the information provided by one breach to glean details about the attacker that can help them track down offenders in international investigations, said Benitez. Those attackers tend to use cryptocurrency, a blockchain-based technology whose transactions investigators can track.
But for some organizations, and even public entities, security breaches carry a stigma – and a fear that reporting them could invite public blowback and professional consequences. And while government officials urge victims of attacks not to give in to attackers and provide ransom, some do so anyway, at the urging of lawyers of insurance agencies.
“If someone broke into a classroom and stole all their computers and switches and other technology, law enforcement would be notified, and that would likely be on the front page,” said Richard Rossi, New Hampshire cybersecurity advisor for the Cybersecurity and Infrastructure Security Agency. “But when we have a cyber attack of the same magnitude, that’s often swept under the rug.”
Cybersecurity experts in New Hampshire say they are trying to break through that hesitation. And they are working to convince districts and school boards that digital security measures are worth the investment, no matter how big or small.
“One of the common things that I keep hearing is ‘We’re too small, it would never happen here.’” said Rossi. “Well, you may not think you’re a great target. But (to an attacker), you may be a fantastic target. And your ability to pay what you think is an insignificant amount of money may be a significant amount of money to an overseas actor.”
Concord’s 2016 breach came ahead of what has been a recent wave of attempted phishing attacks on school districts, some of which have focused on exploiting schools’ increased use of technology following remote learning efforts during the COVID-19 pandemic. To McLeod, who no longer works for the school district, it was a useful harbinger.
“I consider us fortunate to be breached early,” she said. “That really enforced and influenced our approach to cybersecurity.”