Ransomware attacks on educational institutions in the United States have witnessed a troubling surge over the past year, presenting an escalating threat to both public and private school districts nationwide, as revealed in a recent report by S&P Global Ratings. This ominous trend has raised concerns regarding the security and stability of our education system. In this article, we delve into the findings of the S&P report, examining the impact of these attacks on schools, the financial implications, and the measures undertaken to combat this growing menace.
The comprehensive analysis by S&P Global Ratings indicates that the occurrences of ransomware attacks in educational institutions have doubled over the last year. Such incidents have not, as of now, adversely impacted the credit quality of schools or caused significant long-term operational disruptions. However, successful ransomware attacks can incur substantial costs, encompassing technology investments, ransom payments, legal fees, cyber security consultant fees, and expenses related to credit monitoring services for affected individuals.
The extent of a cyber attack can have enduring operational and budgetary consequences, potentially affecting the overall financial flexibility and credit strength of educational institutions. In the face of this escalating threat, school districts across the United States have encountered numerous challenges.
One stark example of this was observed in January, when Des Moines Public Schools, Iowa’s largest school district, was compelled to shut down due to a ransomware attack, causing 30,000 students to miss school. The district took a resolute stance, refusing to pay any ransom. Similarly, the second-largest school district in the nation, Los Angeles Unified, experienced a cyber attack in September 2022 but refused to give in to ransom demands. However, it is noteworthy that some school districts have chosen to pay ransoms, with the S&P report revealing that 50% of such entities have acquiesced to ransom demands. Keith Krueger, CEO of The Consortium for School Networking, aptly pointed out the discreet nature of ransom payments, stating, “It’s really hard to know who is [paying], it’s not something that a lot of school districts want to advertise.”
In addition to disrupted classes and examinations, several school districts have grappled with the theft of personal information belonging to students and staff. Educational institutions store highly sensitive data, making them attractive targets for cybercriminals who perceive schools as “target rich and cyber poor,” according to S&P’s findings.
Recovery from these cyber attacks is a protracted process, as highlighted in a report by the U.S. Government Accountability Office. The report unveiled that the loss of learning time post-attack varied from 3 days to 3 weeks, while the recovery period ranged from 2 to 9 months. Financial losses to school districts were reported to range from $50,000 to $1 million. It is important to note that the exact scope of cyberattacks on K-12 schools remains unknown, as many attacks go unreported. Moreover, the repercussions extend beyond schools, impacting vendors that educational institutions rely on for various services.
In 2022, Illuminate Education, an educational technology company based in California, fell victim to a cyber attack that affected over 1 million students in several states. Similarly, the Minnesota Department of Education reported an attack on the technology vendor MOVEit, which had a global impact, affecting more than 500 state and federal agencies, financial services firms, pension funds, and other organizations. This breach exposed sensitive student data, including dates of birth and county of foster placement.
To mitigate these risks, a 2022 report from the Multi-State Information Sharing and Analysis Center revealed that 83% of respondents had obtained cyber insurance, while 63% had formulated a response plan for potential cyber attacks. However, S&P Global Ratings noted a concerning trend in the surging costs of cyber insurance premiums, which could potentially undermine the preparedness for risk mitigation in some educational institutions.
In a proactive response to this growing menace, Federal Communications Commission Chairwoman Jessica Rosenworcel proposed allocating up to $200 million over three years to bolster cyber defenses in K-12 schools and libraries. “With the growing number of sophisticated cyberattacks on schools and especially the rise in malicious ransomware attacks that harm our students, now is the time to take action,” Rosenworcel emphasized.
The report by S&P Global Ratings also shed light on the discrepancy in cybersecurity preparedness between the private sector and the K-12 school sector, as well as the government sector. The latter appears to lag behind in adopting robust cybersecurity mitigation measures, raising the need for urgent attention and action.