ALBUQUERQUE, NM — For teachers at a middle school in New Mexico’s largest city, the first inkling of a widespread technical problem came during an early-morning call from staff.
The video featured calls for a new administrator for his hard work and typical announcements from administrators and the union rep. But in the chat there were indications of an impending crisis. No one could open attendance records, and everyone was barred from class lists and grades.
Albuquerque administrators later confirmed that the outage, which blocked access to the district’s student database — which also contains emergency contacts and lists of which adults are authorized to pick up which children — was due to a ransomware attack.
“I didn’t realize how important it was until I couldn’t use it,” said Sarah Hager, an art teacher at Cleveland Middle School.
Cyber attacks like the one that canceled classes for two days in Albuquerque’s largest school district have become a growing threat to US schools, with several high-profile incidents reported since last year. And the coronavirus pandemic has amplified its impact: more money has been asked for, and more schools have been forced to close while scrambling to recover data or even manually wipe all laptops.
“Pretty much no matter how you slice it, incidents have both become more frequent and more significant,” said Doug Levin, director of the K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risks.
Accurate data is hard to come by as most schools are not required to publicly report cyberattacks. However, experts say that public school systems – which often have limited budgets for cybersecurity expertise – have become a welcoming target for ransomware gangs.
The pandemic has also forced schools to increasingly turn to virtual learning, making them more dependent on technology and more vulnerable to cyber blackmail. The school systems where classes have been suspended include those in Baltimore County and Miami-Dade County, as well as districts in New Jersey, Wisconsin and elsewhere.
Levin’s group has tracked well over 1,200 cybersecurity incidents in public school districts across the country since 2016. These included 209 ransomware attacks, where hackers lock data and charge to unlock it; 53 “denial-of-service” attacks, where attackers sabotage or slow down a network by spoofing server requests; 156 “zoombombing” incidents where an unauthorized person intrudes on a video call; and more than 110 phishing attacks, in which a deceptive message tricked a user into letting a hacker into their network.
The recent attacks also come as schools grapple with numerous other challenges related to the pandemic. Teachers get sick and there is no substitute for them. Where there are strict virus testing protocols, there aren’t always tests or people doing them.
In New York City, an attack on software provider Illuminate Education this month didn’t disrupt classes, but teachers across the city couldn’t access grades. Local media reported that the outage added to the stress for educators, who were already juggling classes with enforcing Covid-19 protocols and covering colleagues who were sick or in quarantine.
Albuquerque Superintendent Scott Elder said that keeping all students and staff online during the pandemic has created additional opportunities for hackers to access the district’s system. He cited this as a factor in the January 12 ransomware attack that canceled classes for about 75,000 students.
The cancellations – which Elder called “cyber snow days” – gave technicians a five-day window to reset the databases over a holiday weekend.
Elder said there was no evidence that hackers obtained student information. He declined to say whether the district paid a ransom, but noted that if it did, there would be a “public trial.”
Hager, the art teacher, said the cyberattack increased stress on campus in ways parents didn’t see.
Fire drills were canceled because fire alarms weren’t working. Intercoms no longer worked.
Nurses couldn’t figure out which children were where when positive test results came in, Hager said. “So there may have been students on campus who were probably sick.” It also appears that the hack permanently erased a few days’ attendance records and grades.
Edupoint, the provider of Albuquerque’s student information database called Synergy, declined to comment.
Many schools choose to keep attacks secret or release minimal information to avoid revealing additional vulnerabilities in their security systems.
“It’s very difficult for school districts to learn from each other because they really shouldn’t be talking to each other about this because you might share vulnerabilities,” Elder said.
Last year, the FBI issued an alert on a group called PYSA, or “Protect Your System, Amigo,” and said it saw an increase in attacks by the group on schools, colleges and seminars. Other ransomware gangs include Conti, which last year demanded $40 million from Broward County Public Schools, one of the largest in the country.
Most are Russian-speaking groups based in Eastern Europe, enjoying a safe haven from tolerant governments. Some publish files on the dark web, including highly sensitive information, unless paid for.
While attacks targeting larger districts get more headlines, ransomware gangs are more likely to target smaller school districts in 2021 than they did in 2020, according to Brett Callow, threat analyst at Emsisoft. He said this could indicate that larger districts are increasing their cybersecurity spending while smaller districts, which have less money, remain more vulnerable.
A few days after Christmas, the student information system in the Truth or Consequences district, south of Albuquerque, with 1,285 students, was shut down by a ransomware attack. Officials there likened it to a robbery at her home.
“It’s just this feeling of helplessness, of confusion as to why anyone would do something like that because at the end of the day it takes away from our kids. And to me, that’s just a disgusting way of trying to get money,” Superintendent Channell Segura said.
The school did not have to cancel classes because the attack occurred during recess, but the network remains down, including the keyless entry locks on the school building doors. Teachers are still carrying around the physical keys they had to track down earlier this year, Segura said.
In October, President Joe Biden signed the K-12 Cybersecurity Act, which requires the federal cybersecurity agency to make recommendations on how to better protect school systems.
New Mexico lawmakers have been slow to expand internet use in the state, let alone support cybersecurity schools. Last week, state officials introduced a bill that would allocate $45 million to the state Department of Education to build a cybersecurity program through 2027.
Ideas on how to prevent future hacks and restore existing ones usually require more work from teachers.
In the days after the Albuquerque attack, parents took to Facebook to argue why schools couldn’t just switch to pen and paper to do things like attendance and grades.
Hager said she even heard the criticism from her mother, a retired teacher.
“I said: ‘Mom, you can only take attendance on paper if you have printed out your roster beforehand,'” said Hager.
Teachers could also make duplicate paper copies of all notes — but that would duplicate the clerical work that is already crippling them.
At a time when government is increasingly demanding that teachers record everything digitally, “these systems should work,” says Hager.