Report: California school districts likely underreporting cyberattacks

Despite a new law, few California school districts appear to be telling state officials when they’ve suffered a major cyberattack and those that do report problems are turning down aid.

Statewide, 38 of the state’s 945 public school districts, 1,283 charter schools, and 58 county offices of education suffered serious cyberattacks in 2023, according to a new report.

The nine-page report on California school districts, first released in January by the California Cybersecurity Integration Center to the state Legislature, was released to the Southern California News Group in response to a California Public Records Act request. The report is mandated by a 2022 law, Assembly Bill 2355, that requires school districts, county offices of education and charter schools to report cyberattacks affecting more than 500 pupils or staff members to Cal-CSIC.

Peter Reiher, a network security specialist and adjunct professor of computer science at UCLA’s Samueli School of Engineering, said the center’s report may not adequately reflect the scope of cyberattacks in the state’s public educational institutions.

“It looks like they were not getting a lot of cooperation from the school districts at all,” Reiher said. “It sounds like most of the districts didn’t respond (to Cal-CSIC inquiries) at all.

“I can’t say that’s surprising,” he added. “I’m sure there’s little money (in school districts) devoted to seeing if they were hacked at all and they didn’t see much value in reporting this information.”

Sign up for The Localist, our daily email newsletter with handpicked stories relevant to where you live. Subscribe here.

Information about security incidents reported to the center, or those which the center found through other means, was often limited:

According to the report, statewide, there were 16 reported cybersecurity incidents in 2023 that each affected more than 500 pupils or staff, one that affected fewer than 500 people and 21 where the reporting agency didn’t provide that information.

A total of 17 data breaches were reported to the center, including 13 data breaches of school district computer systems (with two also involving ransomware), three of charter schools computer systems (with one also involving ransomware) and one of a county office of education system that combined a data breach and ransomware.

Ransomware — software that locks up a device or data until the owner agrees to pay a ransom to (hopefully) unlock it — was the second-most common form of reported attack.

Hackers only infecting school districts with ransomware some of the time makes sense to Reiher.

“It might be that school districts are, in many cases, too poor to pay up. They’re just not going to be worth the trouble” to hackers, he said. “Hackers are in this for the money. If they hack 12 school districts and 11 of them don’t pay up, and they hack 12 businesses and eight of them pay up, they’re going to go for the businesses.”

Five school districts reported being hit with ransomware, as did three charter schools and three county offices of education, according to the Cal-CIS report. Two school districts and one county office of education reported being hit with malware (malicious software intended to damage or disrupt computer systems), viruses or scams sometimes known as “scareware” that try to trick victims into purchasing software or services they don’t need.

The center declined to name the 38 districts that reported being attacked in 2023.

In recent years, however, some districts have gone public when they’ve been the victims of cybercrime.

In 2020, in the midst of the coronavirus pandemic, and California students taking classes online, Rialto Unified was hit with a malware attack. The district had to suspend online classes, take back the iPads it had provided to students and reset the devices.

Since then, the district has beefed up its cybersecurity, according to district spokesperson Syeda Jafri.

“We are committed to updating our hardware and software infrastructure, on an ongoing basis, to ensure we are up to date with any security patches,” Jafri wrote in an email. “To enhance district staff’s ability to recognize and report malicious emails containing spam and phishing content, our Technology Services has implemented annual security training. Additionally, staff who have access to our district email systems are required to change their passwords every 90 days.”

Phishing attacks attempt to fool users into clicking on links or downloading software that opens their systems up to attack.

And in 2022, Val Verde Unified suffered a data breach. According to the district, “a limited amount of information may have been accessed,” potentially including personal information of students, parents or staff, although the district didn’t specify who may have been affected.

“We think that some (personal data) may have been accessed, but if it was, it was an extremely limited amount of data,” Val Verde Superintendent Gordon Amerson said Tuesday. “We still believe that it was an extremely limited impact, if any at all.”

It’s not a shock to Reiher that hackers might just poke around inside school district systems without necessarily doing anything with the data they’ve accessed.

“They may just be poking around to see what they can use and finding there’s nothing they can use,” he said. “But there may very well be useful information, based on what the school district chooses to keep.”

Like other agencies that have been hit by attacks, Val Verde has worked to make staff more able to spot hacking attempts. That includes both annual cybersecurity training and ongoing tests throughout the year.

“We run simulated phishing attacks on all our staff throughout the year,” Amerson said. “We’re seeing fewer and fewer people falling for it, because there’s heightened awareness.”

He credits the district’s training and fake phishing attacks for staff’s growing awareness.

Cal-SCIC offered to provide help to affected education agencies. But according to the report, about half the time, agencies didn’t accept the offer, didn’t inform the center of the attack soon enough for it to be able to help or the center was unable to make contact with the affected agency.

“It sounds like this agency reached out to many districts and offered help in securing their systems and either got no answer or, when they got an answer, were told ‘no, we don’t need the help,’ ” Reiher said.

And that may leave California’s school districts, charter schools and county offices of education vulnerable to future attacks.

“Phishing and ransomware is still a very big problem,” Reiher said.

More on cybersecurity and ransomware

Optimized by Optimole