K-12 schools are often the target of cyberattacks because they are underfunded when it comes to cybersecurity resilience, explains David Choffnes, executive director of Northeastern’s Cybersecurity and Privacy Institute.
A nationwide breach that has exposed the data of students and teachers around the country underscores how vulnerable educational institutions are to cyberattacks because of a lack of resiliency investments, Northeastern University cybersecurity experts say.
On Jan. 7, PowerSchool, a software company that provides educational services to more than 60 million students in K-12 schools throughout the world, announced that the data of some customers had been compromised as part of a hack on its systems.
Using stolen credentials, hackers accessed PowerSchool’s portal to steal information from teachers and students including names, addresses, phone numbers, Social Security numbers, grade point averages, bus stops and medical information.
“It’s one thing when your own data gets compromised, and we all generally don’t feel great about it, but we are talking about your children who are either not online or barely online,” says David Choffnes, executive director of Northeastern University’s Cybersecurity and Privacy Institute. “To have their sensitive information exposed like this is a huge problem because while those of us that are grown-ups have a certain amount of our lives left, it’s nowhere near as much as kids. Their information will be exposed for much longer.”
K-12 schools are often the target of cyberattacks because they are historically underfunded when it comes to cybersecurity infrastructure, Choffnes says. Additionally, hackers understand how valuable the data of children can be and that those affected are often more willing to pay top dollar to prevent sensitive information from getting released.
“Who do attackers target? They attack the most vulnerable and valuable,” Choffnes says.
Cyberattacks in schools are on the rise, and according to the U.S. Department of Education K-12 schools throughout the country are roughly having five cybersecurity incidents per week.
A 2024 trends report from the State Educational Technology Directors Association revealed that the top priority for state education tech leaders is bolstering cybersecurity measures, but many believe there is a lack of state funding to adequately address the situation.
“We all know that high schools and middle schools often have the least amount of funding for enhancing or strengthening their security,” says Aanjhan Ranganathan, a Northeastern professor in the Khoury College of Computer Sciences and cybersecurity expert. “They have enough funding problems already.”
“Most of their systems are likely outdated and therefore have old security vulnerabilities that should have been patched,” he adds. “There’s a whole bunch of low-hanging fruit for hackers to get into.”
Sign up for NGN’s daily newsletter for news, discovery and analysis from around the world.
PowerSchool has not shared the scope of the attack, but individual school districts throughout the country who are customers have been notified. The company says it is working with Crowdstrike, a cybersecurity firm, and the FBI to investigate the issue and will release a detailed report by Jan. 17.
On the customer end, PowerSchool has taken a number of steps to address the situation, including instructing customers to rotate their passwords. Meanwhile, it is monitoring the dark web to see if any information has been exposed, and is offering credit monitoring services to those affected, according to a report from the cybersecurity trade publication Bleeping Computer.
Notably, PowerSchool confirmed in an FAQ page to customers that it paid a ransom to the hackers to prevent the release of the data, noting that it had received a video showing the data being deleted, Bleeping Computer reports.
Ranganathan says a video alone cannot be trusted as proof that data has been deleted.
“It absolutely doesn’t make sense for you to believe a video of data being deleted,” he says. “Even if you or I deleted something on our devices, it’s still there and can be very easily recovered.”
Choffnes added there are concerns with agreeing to pay ransoms.
“In the microscopic view of things, that sounds good because that means this data hopefully is no longer going to be exposed. Bigger picture though, if you pay a ransom, that encourages more of the same activity and incentivizes attackers to go and steal stuff because they expect to get paid, which is not good for society.”
How the hackers got access to the unauthorized login data is still unclear. One explanation is that it was obtained through an email phishing attack, but Ranganathan says hackers can be creative in getting this information.
“Kids are often on Discord servers playing games,” he says. “This is exactly the same place where hackers hang around. It only takes one or two hackers to say, ‘Hey, give me your credentials. Let’s play around with school data and see what we can get.’ There are so many ways you can trick people into giving their usernames and passwords.”