Hackers Are Stealing Sensitive Student Data—And Schools are Paying Thousands of Dollars to Get it Back

“These groups are targeting some of the most vulnerable people in the nation—kids.”

FOTOKITA/iStock/GettyImages

Earlier this month, students and parents in Johnston, Iowa, received a barrage of threatening text messages. “I’m going to kill some kids at your son’s high school,” one said, according to KCCI, a local Des Moines news outlet. The threats eventually caused the school district to shut schools for a day. And just last month, students and parents around Flathead County, Montana, received similar, “extremely emotionally charged, seemingly real, physical threats,” according to a Facebook post by county Sheriff Chuck Curry. Those threats prompted more than 30 schools in the Columbia Falls district to close for three full days. 

What the parents and students didn’t know at first was that the threats were coming in because a group of hackers had taken over the local school systems’ computer networks. The hackers demanded bitcoin payments or else they would release private student and faculty records.

It’s now clear the group behind the threats in both of these cases was The Dark Overlord, a hacker collective that had previously tried to extort Netflix and ABC. The Daily Beast reported earlier this month that the group has taken responsibility for taking information from the Johnston district in Iowa to send out text messages and that it also claimed it published students’ names, addresses, and phone numbers in Johnston. In Flathead County’s Columbia Falls, Montana, CNN Money reports it demanded $150,000 to destroy the data it acquired after breaking into school servers. If the school didn’t pay up, a ransom note warned the Montana school board, “we will escalate our use of force in a tiered process that will involve an ever increasing level of damage and harm for you.” 

The Dark Overlord, though, is not acting alone. Schools seem to be, as the Wall Street Journal reported this week, the next frontier for hackers vying to exploit sensitive data for money. This infiltration of schools’ servers could result in access to information on students’ names, social security numbers, as well as medical, academic, and disciplinary data, and could open the door for hackers to target and pilfer from teachers’ paychecks. As the Journal reports, cybercriminals have attacked more than three dozen schools so far this year, prompting districts to pay thousands of dollars to hire cybersecurity consultants, get security training for employees, invest in insurance and, in some cases, pay the hackers outright to destroy obtained data. 

The string of incidents caught the attention of the Education Department. On Oct. 16, it warned teachers, students, and parents of the new threat of cyber criminals threatening to release sensitive student records data unless the districts or educational institutions pay up. The department notes in its advisory that at least three states have been attacked by hackers who threatened to release private records if they didn’t receive ransom payments and that the hackers likely target “districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data.” Tiina Rodrigue, a senior advisor for cybersecurity in the Education Department, advised in the note for school tech personnel to conduct security assessments, train staffers on data security practices, and review systems for suspicious activity. 

US law enforcement, the Journal notes, has advised against making ransom payments since such action would raise the risk of further attacks and fund other illicit activity. In the case of Johnston, Iowa, school officials have refused to pay the ransom, despite facing ongoing threats of releasing sensitive data, according to CNN Money. But other districts have defied federal law enforcement advice and have paid off hackers to avoid potential data losses. Last year, for instance, Horry County Schools, a district of 43,000 students in South Carolina, gave about $10,000 in ransom payments in bitcoin to hackers. District officials in Atlanta Public Schools discovered in September that 27 district employees lost $56,000 after hackers re-routed direct deposits away from them. And in August, 46 employees at Georgia’s Fulton County Schools lost about $75,000 after they were tricked into providing a login information through fake phishing emails, the Atlanta Journal-Constitution reports. Both districts reimbursed those employees. 

The FBI is also actively investigating the wave of threats at schools. Steve Daines, a Republican senator from Montana, raised the issue to FBI director Christopher Wray at a hearing in Washington, D.C., at the end of the September. Wray acknowledged that the agency was actively involved in the Columbia Falls case, adding: “It’s no longer just ransomware to a big Fortune 500 company. It’s hospitals, it’s schools in your case—so it’s a threat that is growing.” The FBI is also involved in investigating the Johnston case, according to the Des Moines Register.

“They know that cyber craziness is not our game, and they are winning,” Laura Sprague, a spokeswoman for the Johnston Community School District, told the Journal. “These groups are targeting some of the most vulnerable people in the nation—kids.”