Two East Idaho school districts — Jefferson County and American Falls — were recently targeted in ransomware attacks that temporarily disabled their systems and derailed learning.
For weeks, students and teachers had to revert to “old-school” learning — without the aid of devices or internet. Teachers could not access email, grade books or school phones.
“It was the opposite of what we went through (during the pandemic) when all of a sudden we couldn’t be in person and we went to technology,” said Chad Martin, superintendent of Jefferson County School District.
In his district, school was canceled for a day to give teachers time to adapt.
“I was amazed at how well (teachers) just did what they had to do, just like in COVID,” Martin said. “We did whatever we had to do to make it work.”
Both school districts are now recovering from the attacks and gradually regaining access to the hacked networks and devices. It’s the second technology catastrophe this school year for both districts after a large-scale, national data breach impacted their learning management system, PowerSchool.
As technology becomes more embedded in American classrooms, the incidents show the limitations and vulnerabilities that can accompany an increased reliance on connectivity.
“We live in a day and age when that stuff unfortunately happens,” Martin said. “But in both cases, we were able to say that no student data — like social security numbers, things like that — was compromised. We don’t even store those things.”
Nationally, ransomware attacks have ballooned over a six-year period, from 2016 to 2022, according to Kara Arundel of K-12 Dive. This school year, ransomware attacks have impacted districts in cities from Tucson and Nantucket to Chicago.
In East Idaho, both districts are coming out of their attacks with lessons learned on how to better prevent them next time.
Here’s how a ransomware attack generally works: Attackers hack into a district’s network systems, lock them out, and threaten to dump their data on the dark web. If the districts want to regain access and keep that information secure, they are told they have to pay up.
In Jefferson’s case, the devices and systems hacked were so damaged it would not have been worth it to access them again, Martin said. Instead, his district worked with a recovery team to rebuild and reformat the impacted systems and nearly 5,000 student devices. The attack occurred in late January to early February, and about three months later, the recovery process is ongoing.
American Falls’ attack occurred at the end of March. Superintendent Randy Jensen said the district fortunately had a backup that was not connected to the network, so it was safe from hackers. The district has used that backup to rebuild its systems.
Jensen urges other districts to have a similarly disconnected backup system — and to take other simple steps to prevent hackers, like turning off computers at night and not leaving thumb drives connected.
Martin said Jefferson County School District’s technology department is going to have staff change their passwords more frequently and will be creating multiple off-site backups of district servers.
Both school districts got help handling the situation from their insurer, Idaho Counties Risk Management Program (ICRMP). ICRMP linked the districts with forensics teams that have facilitated the recovery processes.
The districts have also worked closely with the Federal Bureau of Investigation.
While the ransomware attack was stressful, American Falls School District found a silver lining: teachers and students enjoyed the break from devices enough that the district will implement a technology-free week once a year.
“I think sometimes we rely too much on technology and maybe spend too much time on technology,” Superintendent Jensen said.
The district implemented a cell phone ban this year, and Jensen said it sparked a “remarkable change.”
“Kids talk more to each other … participate more in class … have far fewer fights. Kids are more engaged. I mean everything was a positive.”
And going totally unplugged for a short period of time was even better, Jensen said.