Imagine you’re a small-business owner and your shop’s computer system falls victim to a cyberattack. Your email, financial records, contracts and a customer database get encrypted by a hacker who’ll unlock your files for a few thousand dollars.
You hate the thought of paying, but without the information you can’t run your business. You pay the ransom. Would you broadcast what happened? Do you think your customers would understand?
Now imagine you’re not a small business. Imagine you run a school district that employs hundreds of people and is entrusted with the education of thousands of children. Your district is expected to provide good stewardship of millions in taxpayer dollars, and it’s led by a school board whose members can be voted out of office whenever the electorate decides it’s time for a change.
It’s no wonder school districts sometimes try to keep embarrassing and costly cybersecurity failures under wraps. But they shouldn’t.
We have to hand it to officials at the Souderton Area School District, particularly Superintendent Frank Gallagher. At the start of this school year, hackers crippled its network and held it hostage for more than a week. Souderton didn’t hide it. Instead, the district went public with its story.
Officials there said their systems had network protections, but they failed to prevent the incursion. When it happened, employees couldn’t access their email. Students weren’t allowed to use their school-issued laptops. Souderton shut down its districtwide computer network and disabled internet connections in an effort to halt the attack.
Souderton temporarily used Wi-Fi hotspots brought in by Comcast and AT&T. It ultimately took $800,000 and an outside cybersecurity firm to “bring everything back to normal,” Gallagher told us.
Gallagher said the incident prompted the district to add a two-factor authentication measure for logging into its system and implement new cybersecurity protections.
Ransomware cases involving school districts and local governments are on the rise, as many hackers have shifted their attention away from individuals and small businesses to government bodies.
Data security company Emsisoft reported that ransomware hit 113 states and municipal governments and 89 universities, colleges and school districts in 2019 alone. Of course, that doesn’t include the hacks that go unreported. County officials revealed that at least one municipality in Bucks County was hit recently. So were the Cherry Hill School District in New Jersey and the city of Allentown.
Gallagher agreed to speak with us in the hopes that other districts will see Souderton’s story as a cautionary tale. We applaud him for that. Organizations that sweep ransomware attacks under the carpet miss an opportunity to look out for others.
But since it’s human nature to want to avoid telling the world about our failures, we’d like to challenge our state legislature to pass a law requiring local governments and school districts to disclose instances of ransomware that hit their organizations.
Regulations already require U.S. health care companies that sustain a data breach to alert the government and the general public. Local and state governments have no such requirement, but they should.
One way to slow this burgeoning threat is to start talking candidly about it rather than keeping it quiet. A more complete picture of these cases’ prevalence will hopefully raise awareness, dispel any negative stigma that might exist surrounding ransomware victims, and compel other districts and local governments to be more proactive about their own security.
That’s beyond the other obvious reason — that the taxpayers who fund our school districts, towns and counties ought to know where their money is going.