INDIANAPOLIS — WRTV Investigates has uncovered a growing number of cyberattacks on Indiana school districts.
These incidents can cost schools precious time, money and even put your child’s personal information at risk.
Indiana school districts have reported 46 cyberattacks and attempts attacks since July 2021, according to data obtained by WRTV Investigates.
Cybercriminals love to target schools because they’re often easy to hack, they’re a treasure trove of student and staff personal information—plus the use of cryptocurrency makes it easy to get paid undetected.
Cybersecurity on the minds of many students
Like many teens, Ben Davis High School seniors Madilyn Russell and Cameron Davenport spend a lot of time online.
For them, cybersecurity is top of mind.
“Not sharing your password,” said Russell. “Being aware of what websites you're visiting."
They say staying cybersafe is a necessity these days.
“We have our school chrome books, phones, tablets, laptops, PCs,” said Davenport.
The students think about their school becoming a victim of a cyberattack.
“For sure, because schools have a lot of valuable information,” said Davenport.
The Metropolitan School District of Wayne Township has not had any cyberattacks, according to Dr. Tony Harvey, Chief Technology Officer.
“We make sure every device has anti-virus on it,” said Harvey. “We have a firewall that detects all the bad stuff that could come into our system."
But many school districts have not been so fortunate.
Growing number of schools victims of cybersecurity incidents
More than 1,300 cybersecurity incidents have impacted schools nationwide over the past six years, according to K-12 Security Information Exchange, a nonprofit aimed at protecting schools from cybersecurity risks.
"School cybersecurity incidents are growing more frequent,” said Doug Levin, national director at K-12 Security Information Exchange. “They're growing more significant, and they really require a concerted effort by school and IT (Information Technology) leaders to take this issue more seriously."
Levin said cybercriminals target schools for a reason.
“Schools haven’t caught up,” said Levin. “Administrators don’t understand it. They see it as an IT issue.”
Schools house valuable information about your children, and cybercriminals want to sell it on the dark web to someone who can create an identity in your child’s name.
“As we don’t think of schools as rich organizations, they do manage a lot of money,” said Levin. “That is plenty enough to get the attention of cybercriminals who have tried to scam and extort school districts across the country out of hundreds of thousands if not millions of dollars.”
Because it’s a child, the identity theft could go undetected for years.
New Indiana cybersecurity law took effect July 2021
In Indiana, a new law took effect in July 2021 that requires schools and local government agencies to report cybersecurity incidents to the state’s Office of Information Technology within 48 hours.
Indiana is one of only 10 states with a law requiring local government agencies to report cybersecurity incidents to the state.
WRTV Investigates uncovered in the last year, Indiana school districts reported 46 cyberattacks and attempts attacks.
Hospital Authority or Corporation
Business Email Compromise
Distributed Denial Of Service
“There’s a lot of cyberattacks out there,” said Graig Lubsen, Director of Communications and External Affairs for the Indiana Office of Technology. “It's happening everywhere, these attacks.”
One school district reported a phishing email which appeared to come from the U.S. Treasury Department, discussing the schools’ W-9 tax form.
Lubsen said they have more than 600 people, including school leaders, signed up across the state to report cybersecurity incidents to their office.
“We’ve got a lot more to go,” said Lubsen.
The Indiana Office of Information Technology is traveling the state to educate schools and government agencies about the new cybersecurity reporting law.
WRTV compiles growing list of districts hit with cybersecurity incidents
The law does not require the state to disclose which schools have experienced cybersecurity incidents.
So WRTV Investigates started compiling our own list.
- In 2019, Penn Harris Madison Schools, one of the largest school districts in Indiana, suffered a malware attack that forced the district to shut down its servers.
- In 2020, Schools in the Community School Corporation of Southern Hancock County district experienced a cyberattack, primarily affecting internet connectivity for teachers and students.
- In April 2021, hackers shut down phones and internet at Logansport Schools.
- In May 2021, Eastern Hancock Community School Corporation suffered a cyberattack on its camera system in May 2021.
- In October 2021, in Duneland Schools, employee birthdates, social security numbers, drivers’ license numbers and benefits information were subject to a data security incident.
- In June 2022, Mooresville Schools experienced what it called a “computer network disruption.” A ransomware group claimed to have stolen student records, however, the district says after months of investigation those claims remain unverified.
No arrests have been made in any of the above cybersecurity incidents.
Eastern Hancock Community School Corporation’s superintendent Dr. Philhower said the district lost a day of instruction while it addressed a cyberattack on its camera system in May 2021.
“I don't think this kind of thing ever feels minor,” said Philhower. “We have wonderful technology people that were able to restore everything. We really did not lose anything at all."
Philhower said the district did not have to pay any ransom, nor did they have any costs associated with the incident.
“The system they got into, we were able to reboot,” said Philhower. “There was nothing lost from it. There was no sensitive information that was even in the servers that were attacked in the first place.”
Cybersecurity threats costly to Indiana school districts
Even when no information is compromised, cybersecurity threats can be quite costly to Indiana school districts.
WRTV Investigates filed records requests and found Indiana schools have paid tens of thousands of dollars to help recover from cyber attacks and to improve their IT systems after the fact.
- Baugo Schools spent $10,000 to upgrade their firewall following a cyberattack
- Logansport Schools pays a company $30,000/year to help monitor its systems 24/7
- Mooresville is spending $80,000 a year on cyber protection. A district spokesperson told WRTV, “We added Sentinel One to our cyber protection initiatives this summer at a contracted cost of approximately $80,000/year.”
- Duneland Schools has paid more than $281,703 for cybersecurity services and consulting over the past year, records show
These attacks also cost schools precious time away from teaching kids.
Not only do they have to report to the state’s Office of Information Technology, but schools should also report cyberattacks to the FBI.
FBI working to address cybersecurity incidents at schools
WRTV Investigates took concerns about cybersecurity and Indiana schools to the FBI to find out what they’re doing to stop the attacks.
Herb Stapleton, Special Agent in Charge of the FBI’s Indianapolis field office, said the FBI can stop ransom payments from getting to criminals if they are notified quickly.
“Trying to go after the money, and then to target the actual infrastructure that these individuals use,” said Stapleton. “What we are trying to do from an investigative standpoint is go after the key services that create an environment in which ransomware can happen. That means targeting the people who are responsible for gaining access to these networks, that can mean targeting the funds or proceeds of this kind of illicit activity.”
But it’s not easy to find the cybercriminals and prosecute them.
“It takes an extraordinary amount of investigative work,” said Stapleton. “Once we identify who they are, there’s a whole new set of challenges as we identify where they are. As you can imagine, many of these criminals live in countries that don't cooperate with the United States."
A lot of cyber attacks originate from Russia, China, Iran and North Korea.
Attacks on schools, even small ones, can impact national security, said Stapleton.
“The money they get from that cyber breach goes right back into their illegal cyber business and can contribute to hiring and gaining access to bigger and broader and more impactful attacks along the way,” said Stapleton.
The FBI emphasizes anyone who uses the internet can become a target.
“It’s a crime of opportunity,” said Stapleton. “No business is too big and no school system is too small for this type of activity. It’s about volume and driving profit.”
The FBI has a message for Indiana school leaders.
“We are there to help,” said Stapleton. “That would be the message we want schools to receive. If we don’t know about the cyberattack it’s impossible for us to help.”
If you know of a cybersecurity incident at a school, and we don’t have it listed, please let us know at firstname.lastname@example.org.
Tips for protecting your family from cyber attacks
- Ask your school district for their cybersecurity incident response plan
- It should outline what they will do and who they will contact (parents, the FBI, etc.) if there is a threat
- Talk to your kids about good password practices on both their school and home devices
- Use two factor authentication when possible, which makes it harder for someone to get into your accounts
- Do a credit freeze so no one can open accounts in your name or your child’s name.
Attorney General’s Office investigates data breaches
Douglas Swetnam, Section Chief for Data Privacy and Identity Theft Unit at the Indiana Attorney General’s Office said everyone needs to take steps to protect themselves.
“Make sure the children freeze their credit reports,” said Swetnam. “Parents should do that on behalf of their children. Parents should also freeze their credit reports. If it’s frozen, you shouldn't be able to open new accounts on it."
Schools and local governments also have to report to the Indiana Attorney General within 45 days if there has been a data breach or a disclosure of information.
The Attorney General’s office works with schools to understand what happened and to take steps to ensure it won’t happen again.
“We work with them to take steps to get past the incident,” said Swetnam.