Full Report
An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.
Analysis Summary
# Incident Report: Pervasive Obfuscation Following U.S. School Cyber Incidents
## Executive Summary
Since the pandemic, U.S. schools have become leading targets for cyberattacks, particularly ransomware. The primary issue identified is a systemic pattern of obfuscation by school leadership, often guided by insurance companies and privacy lawyers who manage responses under attorney-client privilege. This practice shields investigative details from the public, leaving students, parents, and staff unaware of the scope of their sensitive data exposure.
## Incident Details
- Discovery Date: Ongoing over the past five years (since the pandemic disruption).
- Incident Date: Occurring continually over the past five years.
- Affected Organization: Over 300 U.S. school districts across virtually every state are referenced in the analysis.
- Sector: Education (K-12 and Colleges).
- Geography: United States.
## Timeline of Events
### Initial Access
- Date/Time: Unspecified, continuous trend over the last five years.
- Vector: Cyberattacks, heavily driven by ransomware tactics.
- Details: Attackers target schools, attracted by the increased likelihood of ransom payment due to the presence of cyber insurance.
### Lateral Movement
- Details: Not explicitly detailed regarding specific techniques, but implied necessary for data collection prior to exfiltration by ransomware gangs.
### Data Exfiltration/Impact
- Details: Sensitive information exposed includes special education accommodations, mental health challenges, student sexual misconduct reports, financial and medical information. In some cases, hackers made student and teacher information public after initial denials by districts.
### Detection & Response
- Detection: Detection methods varied; analysis includes reviewing millions of stolen records uploaded to cybergangs’ leak sites.
- Response Actions: Incident response plans prioritize alerting insurance companies and their privacy lawyers first. These lawyers control forensic analysis, communication, and ransom negotiations, shielding the process under attorney-client privilege. Official public disclosure often lagged, sometimes by months or over a year, after sensitive data was already compromised.
## Attack Methodology
- Initial Access: Ransomware deployment targeting school systems.
- Persistence: Not explicitly detailed, but required long enough for extensive data exfiltration (implied).
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Initial assurances by school districts that data was secure masked the actual compromise status.
- Credential Access: Not explicitly detailed.
- Discovery: Attackers conduct reconnaissance leading to the exfiltration of sensitive files.
- Lateral Movement: Implied requirement to access various systems containing sensitive student and staff data.
- Collection: Gathering of personally identifiable information (PII), sensitive educational records (IEPs, conduct reports), and medical/financial data.
- Exfiltration: Data stolen by cyber gangs and posted on dark web leak sites.
- Impact: Data exposure leading to potential identity theft, fraud, and emotional distress for victims, alongside operational disruption requiring ransomware payments in many cases.
## Impact Assessment
- Financial: Ransom payments were often agreed upon behind closed doors to recover files and unlock systems. Costs associated with legal counsel, forensic analysis, and crisis communication are significant.
- Data Breach: Highly sensitive student and staff data, including educational accommodations, mental health records, and sexual misconduct reports. The volume is substantial given the analysis covers 300+ incidents.
- Operational: Disruption leading to the necessity of paying ransoms to regain system access.
- Reputational: Significant erosion of trust between school districts and the community due to delayed and obfuscated communication.
## Indicators of Compromise
- Network indicators: Not provided (defanged requirement prevents listing).
- File indicators: Not provided.
- Behavioral indicators: District leaders providing evasive storylines or refusing to acknowledge basic details of the attacks and data effects.
## Response Actions
- Containment measures: Actions taken are not detailed, but were likely managed by external forensic firms hired under privilege.
- Eradication steps: Not detailed.
- Recovery actions: In many cases, recovery involved paying ransom demands to regain access to locked computer systems.
## Lessons Learned
- Systemic failure in communication: School district responses are heavily influenced by legal counsel aiming to limit liability, often resulting in misleading or incomplete information shared with victims.
- Reliance on Legal Privilege: The use of "breach coaches" and attorney-client privilege effectively shields incident details from public scrutiny and victim notification.
- Incentive Structure: Cyber insurance appears to incentivize attacks, as hackers note that insurers make ransom payments "all but guaranteed."
- Ineffective Notification: Current data breach notices are often vague, late, and treated by recipients as "junk mail," failing to prompt necessary protective action by victims.
## Recommendations
- Mandate transparency: Implement stronger requirements for timely and accurate disclosure of data breaches, moving beyond vague language that skirts the line of being "technically accurate."
- Review legal shielding: Evaluate the role of attorney-client privilege in hindering necessary public disclosures during critical cybersecurity incidents.
- Increase accountability: Establish mechanisms, potentially through federal agencies like CISA or educational accountability standards, to penalize districts for misleading the public about data compromises, analogous to SEC scrutiny for misleading investors.
- Improve victim education: Ensure future breach notifications clearly articulate specific risks (e.g., identity theft, fraud) and immediate protective steps victims should take.