The U.S. Department of Education recently issued a warning that hackers are targeting schools with insufficient IT security and threatening to release sensitive student information unless a ransom is paid.
“In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received,” the warning states.
Although none of the threats of violence have yet be considered credible, attacks in three states are being actively investigated by the FBI, according to the warning. In one of the cases, an entire school district in Montana shut down for three days following after a data breach of student and faculty records.
Particularly alarming was the discovery that the group had hacked the school’s security cameras and could watch their every move, NBC News reported.
Steve Bradshaw, school superintendent in Columbia Falls, Mont., located at the foot of Glacier National Park, told NBC News he received messages in September from an anonymous person who mentioned “splattering blood all over the hallways.”
Bradshaw turned over the alarming messages to local law enforcement.
“The threats were mostly about killing children—and graphic ways that they were going to kill the children,” Columbia Falls Police Chief Clint Peters told NBC News.
When it was evident that the person or group sending the messages was after a ransom in exchange for not releasing student Social Security numbers, phone numbers, and addresses, law enforcement officials began trying to negotiate with the cybercriminals over their demands.
Particularly alarming was the discovery that the group had hacked the school’s security cameras and could watch their every move.
After a rash of attacks across the country, the FBI is asking school districts to make cybersecurity a priority.
In Columbia Falls, Bradshaw’s team met with families, consulted with the FBI, and ultimately made the decision to not pay the hackers.
That was followed by more threatening texts.
“It’s about power and it’s about fear,” Bradshaw told NBC News. While he made the choice not to pay, he said he dreads the thought of the hackers dumping student information.
“Will they dump this information? Will they impact some child to the point that that child could be emotionally damaged for the rest of their life?” he said.
Schools Present Easy Targets
With many school districts across the country facing tight budgets, cybersecurity is often an after-thought, sources told NBC News.
“Schools are vulnerable for a variety of reasons,” said Shawn Henry, chief security officer of Crowdstrike and former assistant director of the FBI.
“First of all, their security is not always up to par and that’s because they don’t have a high budget in order to invest in security protocols,” he said. “But they also have information that’s of value and people want to protect children.”
The Department of Education is encouraging schools to conduct security audits and to train staff on cybersecurity best practices, including how to avoid being targeted by social engineering schemes, such as fake emails that look real but, if clicked, can provide hackers access into the school’s system.
Cybersecurity “needs to be a budget item every year,” said Howard Marshall, a spokesman for the FBI. “At the end of the day, they are protecting the country’s most important assest and resource—and that’s our children.”