Hackers target schools for money, personal information

HACKED! Sixth grade math teacher Kristen Bridwell illustrates what it may feel like for a teachers computer to get hacked. Hackers are targeting schools more than ever before.

Charles Deng

HACKED! Sixth grade math teacher Kristen Bridwell illustrates what it may feel like for a teacher’s computer to get hacked. Hackers are targeting schools more than ever before.

By Kaitlyn Burke, John Sevier Middle School

In October of last year, Johnson City Schools’ teachers and staff members received a message from computer hackers on their screens.

“Every byte of any types of your devices was encrypted,” the message read. “Don’t try to use backups, because it were encrypted, too.”

The hackers hit 314 desktops and 35 laptops that had to be replaced. The hackers hoped to ransom the computer data for money from Johnson City Schools.

There have been many cases across the United States recently in which hackers have broken into school networks to steal information or blackmail the school system. Kingsport City Schools’ network has not been a victim so far.
These hackers take students’ information and use it either for identity theft or ask the school system for money to give them access back to their own network. In some cases, these hackers don’t need to be adults; they can even be high school students.

Tony Robinson is the Chief Technology Officer for Kingsport City Schools. He joined the system in July 2019 and oversees all technology operations for the district, including all programs, services, policies, support and programming.

“Those are systems that people who want to do bad things on computers want to get into, because they hold certain types of records that can be exploited,” Robinson said. “So, school systems are vulnerable just because of the types of information they have. When a hacker or cyber criminal is looking for a certain type of information they think they can exploit, school systems are a perfect place for them.”

Two school districts in Long Island were hacked and held hostage over the summer. The Rockville Center School District paid $88,000 in bitcoin to get student and staff information back before the school year started.

The Livingston Schools district in New Jersey was also hit with a ransomware attack. School officials there tried to avoid paying the ransom and contacted the local police to investigate.

Other school systems pay up in order to get their data back, which costs the taxpayers a lot of money. Lyon County Schools in Nevada paid a ransom to the hackers who attacked their school system. How much they paid is not publicly available.

The type of information that hackers could get include students’ and parents’ dates of birth, addresses and social security numbers.

“Those things are definitely going to be housed in a computer system or in a database,” Robinson said. “Those types of systems are vulnerable. But if the right precautionary steps are taken to ensure that information is secure, then it should be 99.9% secure. There’s no way in information technology for anything to be 100% secure, but what you can do is try to be as secure as possible.”

People who are caught hacking could be sent to jail for up to 20 years. Still, there is a lot of money in hacking school systems.

“The way I look at it is if we pay them, what’s the incentive for them not to just keep doing it?,” Robinson said. “So we’re paying them and they’re going ‘okay, well, I’m just gonna keep doing it because people keep paying me’.”

Not paying the hackers, however, could lead to serious consequences for the school system and the parents and students.

“If we do get our data encrypted, [then] we can’t get to it and everyone’s in danger, not really in danger from a physical harm perspective, but in danger mainly from identity theft,” Robinson said.

So, would Kingsport City Schools pay hackers?

“It’s one of those things where you don’t know what to do until it happens,” Robinson said. “I want to sit here and say ‘I would never pay them’, but you don’t know what the situation is until you get there.”

Kingsport City Schools, however, is trying to avoid ever having to make that choice. KCS uses several layers of defense to make sure this kind of problem doesn’t happen in the first place.

“You put layers of defense in place,” Robinson said. “At each layer, you put some kind of defense. So, it’s got to go through all these different layers of defense to get all the way down to the end user, to the computer.”

Kingsport City Schools’ technology department also makes sure all systems are up to date, including anti-virus and anti-malware software.

“We’re always looking for new products and new ways to do things, trying to be innovative,” Robinson said.

Still, students and teachers always need to be careful when they are using the internet. There are hackers, for example, who make fake websites or hack into other companies’ websites to scam people and get access to their computers.

“Don’t click on every link you get,” Robinson said. “We do a really good job of locking down the websites that students can go to on their Chromebooks, but, somehow hackers got into that website without the owner knowing and they’ve attached ransomware or malware to it. So now you’ve gone to that website because it’s a reputable website. It looks fine. But because that website had gotten hacked, and gotten infected with the malware, the ransomware, now you have, too, because you’ve gone to the website.”

One of the main things that teachers can do is not click on everything that they get in an email. One of the most common ways that ransomware gets on a school computer is when teachers get an email that’s got some kind of link in it, and they click on it.

“An example of a phishing email might be ‘you need to update your password for Netflix’,” Robinson said. “Well, it’s not really from Netflix; if you look at the email address, it would say that it’s not from Netflix. And so when you click on that link, it redirects you to a page that actually downloads the ransomware.”

In the end, Kingsport City Schools is doing everything it can to protect parent and student information.

“Most school systems do take that extremely seriously,” Robinson said. “They are taking all the precautionary measures that they can. I can speak for what we do. Kingsport City Schools are both reactive and proactive. We have defense in layers. We have multiple layers of defense that someone would have to go through to get to the information. So, that allows us to, hopefully, be able to see it at one of those layers before it ever gets all the way in so we can stop it before it gets there.”

This story was originally published on The Sequoyah Scribe on April 13, 2020.