Ransomware Attacks on School Districts and the Resulting Impacts on Transportation Departments

Ransomware attacks – in which a software first maliciously steals information from an organization, and then locks that information until a ransom is paid to hackers – are on the rise against American public school districts.

The nature of ransomware has evolved in recent years, lending to an increase in the severity of attacks.

“Ransomware 1.0 locked organizations’ systems under an encryption until that organization paid the criminals for an encryption key,” said Brett Callow, threat analyst at Emsisoft – a provider of anti-virus and anti-malware software. “Ransomware 2.0 started around 2019. Now attackers first steal a copy of the data before encryption. Organizations then have two problems – the system is locked from use, and the sensitive information will be posted online if the organization does not promptly pay a ransom.”

Last year there were 84 separate incidents of ransomware attacks on educational institutions and school districts. In all, 1,681 schools, colleges and universities were impacted by ransomware in 2020. 

According to data published by Alagen Security Professionals, notable 2020 attacks included:

Baltimore County Public Schools in Maryland suffered an attack which closed schools for 115,000 students, requiring the school to rely on Twitter and robocalls to communicate with parents.

Fairfax County Public Schools, the largest school district in Virginia, was attacked by cyber-crime outfit MAZE, demanding a ransom for stolen sensitive data.

Burke County Schools in North Carolina suffered an attack just two weeks before closing due to COVID-19. This required the district to delay remote-learning by two weeks – but thankfully the district was able to contain the attack and prevent further incidents.

Many more districts last year suffered similar attacks of
varying severity.

Impacts on Service Delivery

“A ransomware attack can bring everything to a grinding halt,” Callow said. “All of a school district’s electronic systems, whether linked to payroll or transportation, may be unavailable after an attack.”

Callow added that the information seized by hackers can include all types of data — ranging from employees’ and students’ addresses and Social Security Numbers to extremely sensitive information related to students’ health or alleged criminal activity.

“It is the worst-case scenario for a school district,” he said. “If financial information leaks, at least someone can eventually fix their credit score. If information about a sexual assault leaks publicly, for example, there is nothing you can ever do to rectify that harm.”

When districts and schools do not pay up, the information is posted to hacker-operated “leak sites.”

“Some of these leak sites are quite highly trafficked,” Callow said. “A single page can get more than 30,000 views in some cases, allowing a considerable number of criminals to access this data.”

Dr. Linda Bluth, Ed.D, added that ransomware attacks have considerable implications for compliance with the Family Educational Rights and Privacy Act (FERPA).

“Knowledge about FERPA is key for compliance with FERPA requirements, especially in light of ransomware activities impacting school districts,” she said. “It is far too easy to forget about confidential student information contained in such documents as transportation emergency information, routing data, individualized education programs (IEPs) and special health care plans.”

“In addition, school districts billing Medicaid for eligible children with disabilities should cautiously protect this personally identifiable information as well,” Bluth added. “All federal and state confidentiality requirements should be known and strongly enforced.”

Lessons Learned

When Baltimore County Public Schools (BCPS) suffered its ransomware attack last year, the potentially impacted population was large. BCPS serves approximately 110,000 to 115,000 students, with upwards of 84,000 students relying on BCPS bus transportation. The district has approximately 1,200 employees between the Office of Transportation’s operations staff, fleet staff, business management staff, and contractors.

Dr. Jess Grim, director of the BCPS Office of Transportation, said that the attack essentially crippled every computer on the district’s network. For just over two days the district was relegated to cell phones and social media for all work
and communications.

“The attack occurred just before Thanksgiving, which thankfully allowed our IT staff a few extra days to work on the problem,” Grim said. “But we lost everything. We could not get safely into our emails, nor use our office phones. We were instructed to remove the email apps from our cell phones. It was dramatic and affected every aspect of our computer-based processes.”

The Office of Transportation was unable to utilize its routing software for eight weeks, resulting in a reversion to map-based routing and manual scheduling. Paper routes and PDFs existed for this year’s routing data, but it could not be accessed via the district’s routing software.

Grim added that the backup storage of routing data was compromised as well, so there was a period of weeks where the department tried to ascertain how much data it would ever recover.

“We initially lost our accident database, as well as a driver database which was critical for our state’s reporting requirements,” Grim said. “It meant a lot of research by our IT team into backups, and whether those backups were accessible after the attack.”

“Our IT Department is amazing,” he continued. “They were able to identify and recover a great majority of files related to routing or maps, and many of the routes that we had previously put together. They were also able to access some earlier versions of our lost databases. Still, we had to begin thinking about operational changes because our resource availability was so restricted.”

Recommendations for Data Protection and Backup

“In light of the extensive identified ransomware attacks on school districts across the United States for over the past five years, it is crucial that school district transportation offices keep meticulous documentation and take inventory of the different kinds of personally identifiable information kept on each child transported by the school district,” Bluth said.

Grim said the attack caused BCPS to re-think many of its routine processes.

“We looked at how we backed up information, and how we plan to ensure the diversification of our data storage,” he said. “We’ve also upgraded some of our older legacy systems, which has been a positive element to this whole ordeal.”

Callow said that districts should, at a minimum, back up all data in multiple secure locations; patch systems promptly; use multi-factor authentication whenever possible; securing or disabling remote access solutions; and training staff to spot suspicious emails.

“Almost every ransomware attack succeeds because of a basic security failing,” he said. “Paying attention to the basics can be crucial in reducing the chances of your organization being hit.”

Bluth added that school district ransomware attacks and victim experiences should be shared openly nationwide in order to assist in the prevention of new ransomware attacks. She said cybersecurity school district forums should also be elevated as a national ransomware prevention priority.