WASHINGTON – The ransomware attack on the Dallas Independent School District two years ago exposed personal data on staff and students – Social Security numbers that put them at risk of identity theft.
It also exposed grades and in some cases, medical records, part of a cybercrime wave that has hit districts nationwide in recent years, and which the White House is trying to blunt.
“Every student deserves the opportunity to see a school counselor when they’re struggling, and not worry that these conversations will be shared with the world,” first lady Jill Biden said Tuesday at a White House cybersecurity summit that brought educators together with security officials and experts.
At least eight school districts across the country were hit by significant cyberattacks in the 2022-23 academic year. Four of those had to cancel classes or close completely for at least a few days.
Across the country, 647,000 students were impacted by ransomware attacks on K-12 schools in 2021, the year DISD was targeted, according to a 2022 Government Accountability Office report.
The loss of learning following a significant cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months, GAO said.
The attacks cost the affected districts from $50,000 to $1 million.
Schools are not the only targets of this growing industry.
The city of Dallas is still recovering from a ransomware attack detected in early May that brought down the police department website and disrupted city services for weeks. The hackers got hold of Social Security numbers and other personal information for staff across multiple departments
On Monday, The Dallas Morning News reported that data for members of the public was also stolen. Hackers accessed the personal information of at least 26,212 Texans in the attack, according to an official disclosure on the Texas Attorney General’s website.
At the White House, school administrators and members of Congress joined the first lady, Education Secretary Miguel Cardona and Homeland Security Secretary Alejandro Mayorkas to discuss cybersecurity as the new school year gets under way.
Also on hand were officials from the FBI, National Security Council, and Cybersecurity and Infrastructure Security Agency, which is part of Mayorkas’ department.
“We need to be taking the cyber attacks in schools as seriously as we do the physical attacks on critical infrastructure,” Cardona said.
The DISD data breach was discovered on Aug. 8, 2021. Hackers accessed the district’s data and temporarily stored it in an encrypted cloud storage site, exposing the personal information of students and employees.
DISD did not disclose how much the cyberattack cost the district.
Information on employee salaries, dates of employment and reasons for ending employment were exposed, as well as student data – including grades and parents’ cell phone numbers.
The Biden administration on Tuesday announced several initiatives to combat the threat, including the establishment of a Government Coordination Council to coordinate communication on cyber defense among federal, state and local education leaders.
The Education Department issued detailed guidance on how to strengthen the digital infrastructure of education to prevent future attacks.
Hackers sometimes demand billions of dollars to unlock a company or government agency’s data. Not all ransom payments are made public but by some estimates, victims pay an average of $258,000.
“An ounce of prevention today is worth a pound of cure tomorrow,” said Mayorkas.
DISD isn’t the only North Texas district targeted.
In August 2022, a ransomware attack forced the Mansfield Independent School District to hold classes without access to the internet or other web-based systems.
Neither district was represented at the summit.
In February, the Los Angeles Unified School District acknowledged that mental health assessments of roughly 2,000 current and former students had appeared on the so-called dark web after a hack the previous year.
At the White House, LA superintendent Alberto Carvalho urged other districts to make sure to back up their data.
“Have a backup plan that is independent from your digital assets and systems to restore education for kids,” he said.