When hackers go to school
Remote learning has become the target of many hackers, exposing school systems, teachers, students, and their families to new risks.
Students in jurisdictions across the country have been learning online since March, and during that time, multiple school systems have had their networks hacked and been the victims of denial of service attacks, preventing access to online resources. The Fairfax County school system in Virginia was hacked in September, and Clark County in Nevada had a cyber incident earlier during the pandemic.
Just before Thanksgiving, Maryland’s Baltimore County School system network experienced a cyberattack, prompting administrators to send text messages to teachers, warning them not to log onto the network. Schools were closed for three days, and an investigation to determine the scope of the infiltration is still underway. While county school officials believe that personally identifiable information (PII) for students and teachers was not compromised, it will be some time before that can be confirmed.
According to the Financial Management Practices Audit Report issued in November 2020 for Baltimore County Schools, the school system did not maintain adequate safeguards for sensitive PII. In addition, there was nonexistent intrusion detection coverage for 26 publicly accessible servers that were not secured against improper access. These deficiencies mean that hackers could have accessed some records and information, although that has not been confirmed.
What do these types of cyber events mean for students and their families at a time when online learning is the primary means of instruction?
Identifying the risks
“The necessity for remote learning in our homes has made us more vulnerable than ever to cyberattacks,” said Jim Hyatt, senior vice president of personal lines for Arbella Insurance Group, in response to questions from PropertyCasualty360.com. “With multiple users using the home Wi-Fi/internet for longer durations during the day, there are many points of entry that cybercriminals can use to access private, personal information. Homeowners should ensure that their internet is secure to protect against unauthorized access by third parties and prevent financial and emotional harm.”
Incidents like the Baltimore County attack include risks beyond stealing information from the school system. “The most common forms of cyberattacks are those in which a computer virus or other malware was installed on a computer. The user then becomes locked out of the computer, and the information becomes at risk of being stolen,” continued Hyatt. “Personal and financial information is now available to criminals. This could mean that someone could steal your identity, or they could email grandma with an extortion scheme. In the aftermath of these attacks, consumers generally spend more than $500 to respond.”
Cybercriminals have capitalized on the transition to remote learning and the vulnerabilities within the programs and school systems. “The primary risks that students face are from social engineering attacks, where a bad actor impersonates a known contact in order to obtain credentials,” explained Catherine Lyle, head of claims at Coalition, a cyber insurance and security company.
She highlighted several risks that parents and students should consider:
- Reusing passwords. This can include using the same password for the student information system (SIS) as for personal information. The SIS allows access to everything, including grade books, planners, private messages with teachers and more. There is a lot of information that can be used, held for ransom or exposed.
- Malware. This involves clicking on links that have banking Trojans that can then look for financial information for the student or their parents and empty their bank account.
- Business email compromised (BEC). This can lead to sending malware to everyone in their contact lists.
- Cyberstalking. Think social media account access or gathering online information from other sources to monitor someone’s activities.
Staying safe online
Lyle offered some practical steps to help parents and students minimize their online risks. “The best thing students and school administrators can do to prevent social engineering attacks is to implement multi-factor authentication (MFA) on their email. If a user is tricked into revealing their username and password through social engineering, MFA can prevent the attacker from being successful if their intent was to steal credentials. In addition, we recommend that school systems implement a security awareness training program. One of the most pervasive ways to avoid social engineering attacks is to properly train your staff to understand the challenges they’ll face.”
Lyle also recommends that students carefully consider any links before clicking on them, create strong passwords for logins, use the options in Zoom and Google that allow a student to change or blur their backgrounds to further protect their identity, and finally, protect their PII by knowing who they’re sharing it with and how it will be used.
Computers should utilize some version of antivirus software, and students should keep it updated. The same holds for the security updates from the operating system manufacturers. They frequently include patches to fix identified security vulnerabilities.
After the cyberattack
When a cyberattack does occur, Lyle advises students and parents to purchase and use antivirus software if it’s not already on the computer. Students should back up their computers regularly to capture critical information before it is lost. Changing passwords frequently can also make it harder for hackers to access information. Lyle advises users to check their email settings to ensure they do not include any unrecognized forwarding rules. A police report should also be filed if there is any harm to property or if identity theft occurs.
There may be some third-person liability for the schools if students’ or teachers’ computers are harmed in some way, and they may seek reimbursement or recovery from the school system. Credit monitoring for both students and teachers will also be critical. For students, if their PII was stolen, it could be sold on the darknet and used to set up synthetic identities (a fraud that combines real information with fake information to create new identities for individuals who may set up credit cards and other records that could damage a student’s credit in the future).
Insurers are also starting to offer personal cyber policies that can help consumers who suffer a cyberattack navigate the aftermath. Hyatt says consumers need to look for a variety of coverages when shopping for a cyber policy. Arbella’s Home Cyber Coverage insurance is designed to help protect individuals and families after a cyberattack has occurred. Services include removing a virus or reprogramming computers and tablets, WI-FI routers and other access points, reimbursement for approved ransom payments, as well as coverage for online frauds such as identify theft, phishing schemes or illegal banking or credit card transfers. It can even provide coverage for legal expenses, temporary relocation, and in some cases, mental health counseling if a child is attacked by a cyberbully.
In a business setting, people are more likely to be aware of the various types of cyberattacks perpetrated on their computers. However, working or going to school from home involves a certain level of comfort and security because home is supposed to be a safe place. As these attacks have shown, hackers are willing to exploit vulnerabilities anywhere.
Related: