The Department of Education alerted schools of a cyber extortion threat and provided guidance in an announcement by the Federal Student Aid Office last week.
“We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records,” the letter, signed by Tiina Rodrigue, the Office’s senior advisor for cybersecurity, stated.
The letter noted that in certain instances, hackers have threatened violence, shaming, or bullying students until they are paid the ransom, although none of the threats of violence have been deemed credible.
The cyber attacks are currently being investigated by the FBI, and the letter said at least three states have been affected by the hacks. More than three dozen school systems have been the victim of cyber attacks in 2017, reports the Wall Street Journal, although only a fraction of those attacks qualify as cyber extortion.
Department Gives Schools Cyber Attack Guidance
The announcement mentioned that school districts with weak data security or vulnerabilities are especially likely to be targeted by hackers.
“[Cyber attacks] may come in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.
The Department encouraged IT staff members at schools and school districts to take the following steps:
- Conduct security audits to identify weaknesses and update/patch vulnerable systems;
- Ensure proper audit logs are created and reviewed routinely for suspicious activity;
- Train staff and students on data security best practices and phishing/social engineering awareness; and
- Review all sensitive data to verify that outside access is appropriately limited.
How Schools Should Respond to Cyber Attacks
The Department’s announcement also included instructions for schools affected by cyber extortion. The letter advised schools to contact law enforcement immediately and contact the Department at [email protected] to allow government officials to monitor the spread of the threat. The PTAC website has more helpful resources for responding to and recovering from cyber attacks.
“While this new threat has thus far been directed only to K12 schools, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements.”
Other cyber security resources for colleges and universities can be found at the Office’s Cybersecurity page on ifap.ed.gov. Campus Safety has also released cybersecurity guidance for schools as well as parents and students.