SACRAMENTO (CBS13) – Cybercriminals are targeting schools at an alarming rate and exposing children to identity theft – and their parents may never know. CBS13 discovered alarming statistics on cyber attacks in schools and a lack of school policies for tracking and reporting these attacks.
- Schools are not required to report cyber attacks to a governing body.
- In most cases, parents do not even have the right to know that their child’s school has been attacked.
- CBS 13 surveyed over 50 local districts about their cybersecurity policies and only the district confirmed that it actually had one.
- Meanwhile, CBS 13 reviewed more than 120 recent California cyber incidents at K-12 schools, including more than a dozen ransomware attacks. At least one has never been reported publicly or to parents.
From high school students fresh out of distance education, to “Mr. Code’s Wild Ride,” most kids realize the repercussions of a cyberattack, but their schools, it turns out, can’t.
READ MORE: New power plants are California’s latest effort to avoid power outages
According to a recent IBM survey, about half of teachers and administrators said they were “not concerned” about cyber attacks.
When CBS13 asked local school districts about their policies for tracking and reporting violations, only one in 50 school districts confirmed that they did have a policy.
“It is very difficult to move forward on this issue when we are kept in the dark. Parents cannot protect their children and policymakers do not know the need to take action to protect their communities.
Two school districts said they were in the process of developing a cyber attack reporting policy, and several said they needed more time to respond, which is permitted under California’s public records law. However, the vast majority of school districts did not respond at all to CBS13’s request.
Meanwhile, CBS13 has identified more than a hundred publicly reported cybersecurity incidents in California K-12 schools, including nearly a dozen recent attacks of ransomware, a type of malware that locks down computers. and files until a ransom is paid.
We have confirmed that at least one ransomware attack in a Placer County school district has never been reported publicly or to parents.
Last year alone, cybersecurity analysts tracked more than 1,600 ransomware attacks in school districts across the country.
And there are growing reports that student information from hundreds of these breaches is now available on the dark web, where children’s information sells for a high price because of their credit history. clean make them ideal targets for identity thieves.
Most will not find out that they have been victimized in years.
This Toledo incident was referenced in a letter from Senator Blackburn to the Education Department, calling for accountability and data on the number of children affected.
âThese incidents happen a lot more frequently than a lot of people realize,â said Doug Levin, director of the nonprofit K-12 Security Information Exchange, which helps protect schools from cyber threats.
His group tracks publicly reported cyber attacks, but says most schools never report them.
“It is very difficult to move forward on this issue when we are kept in the dark, âLevin said. âParents cannot protect their children and policy makers do not know the need to take action to protect their communities.
California leads the FBI Internet Crime Report for total fatalities and money lost, and Levin says California is among the top three states for cyber attacks on schools.
Yet the California Department of Education tells us, âSchools are not required to report ransomware attacks to state or federal entities. “
âCyber ââsecurity practices for school districts are largely unregulated right now in the United States,â Levin said.
The California Department of Education (CDE) told CBS13 that schools can âdeclare themselvesâ to private entities. The CDE provided a link to the nonprofit and Levin’s data breaches in its response to CBS13. However, Levin says he is not aware of any school that has ever self-declared.
READ MORE: Former firefighter finds dogs after their theft at his Calaveras County home
The CDE also told CBS13 that it was not aware of any California school districts that had paid a ransom.
âThere have been public reports from California school districts that have paid off,â Levin pointed out, âwhich [means] obviously they don’t follow either.
In fact, Levin notes that there isn’t a consistent standard for who should know about school offenses, and it seems even state regulators are confused.
The CDE pointed CBS13 at this federal law, which they said initially required parents and students to be notified if a student’s information is disclosed. But the federal government says that’s just not true: The law doesn’t require schools to tell students about compromised information.
Several districts have told CBS13 that they will, in some cases, notify families under California’s Data Security Breach Notification Act, which applies to California businesses and agencies.
But other districts appeared to ignore state law, or said it wouldn’t necessarily apply to ransomware attacks without proof that hackers actually “acquired” specific personal information.
âReally what they’re saying is we don’t have any evidence that student data was stolen,â Levin said.
But he stressed that schools should assume that private information has been compromised after any ransomware attack, as hackers often gain access to school servers for days or weeks before activating the ransomware.
âI mean, at this point the damage has been done,â Levin said.
California’s data security breach reporting law, which does not specifically refer to schools, only requires reporting specific types of information that has been knowingly “acquired by an unauthorized person.”
Under the law, agencies are also expected to report violations affecting more than 500 people to the California Attorney General. However, California Attorney General Rob Bonta’s office has not responded to repeated requests for information about the requirements of the law or whether school incidents have ever been reported to their agency.
A local district, which has seen two recent unreported attacks, said it only reports cyber attacks to its insurance company. The district added that it would only inform students and families based on the advice of that insurer.
âInsurance companies shouldn’t be the ones making this decision,â Levin said. âThese are public institutions that use taxpayers’ money to provide valuable services to a sensitive population. Our children. “
Schools in Texas must report stolen student information to the National Education Agency. A bill in Illinois would require schools to report any cyber breaches to the region’s Department of Education. And this federal bill would commission a study into the cybersecurity risks facing schools.
But so far, there’s nothing forcing California schools to track or report growing cyber attacks.
The Center of Internet Safety, which monitors emerging threats, predicts an 86% increase this year in cyber attacks against schools.
Experts recommend freezing your child’s social security number credit with all three credit monitoring services, Experian, Equifax, and TransUnion. A children’s credit freeze can help prevent hackers from using their information to open credit cards or take out loans on their behalf.
NO MORE NEWS: Street closure creates conflict between businesses in downtown Davis
The law to allow the freezing of children’s credit in California was prompted by previous investigations by CBS13.