On October 30, 2017, I wrote a piece called Student Data in Schools the Target of Cyberattacks. Almost a year later, on September 13, 2018, the Federal Bureau of Investigation released a Public Service Announcement entitled Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students. Whether you have heard of this or not, it is very important to understand and I will try to lead you through the circumstances that lead to this PSA from the FBI.
Now, before I go any further, if you work for or have a child currently or previously enrolled in Oak Grove School District, I want you to know that our IT department has been vigilant in keeping our security systems as up-to-date as we can based on current industry standards so that we can protect student and employee data. To date, I do not personally know of any malicious infiltration that has ever occurred within our systems. We also have started about three years ago a diligent effort to ensure that the education-as-service providers we use also protect student data to current industry standards - you can read about this effort and teachers' responsibilities in this effort in our blog post Student Data Privacy and Safety.
The FBI notice refers to a number of school districts in Iowa, Texas and Montana that were ransomed by cyber attackers in late 2017. The attackers stole personal information on students, families, and staff and then threatened to release the data unless payment from the district was received. In the process of making these threats they also threatened physical harm, and shamed and bullied students and parents through personal email, phone texts, and Facebook posts. This was announced by the United States Department of Education on October 16, 2017, titled ALERT! - CyberAdvisory - New Type of Cyber Extortion/Threat (the announcement has links to two news articles about the incidents).
Also mentioned in the FBI notice are two large EdTech companies, most likely Schoolzilla and Edmodo. In April of 2017, Schoolzilla was the subject of a white-hat hacker (someone who identifies weaknesses in a computer system and notifies the company about the vulnerability rather than exploiting it). This was reported in the online news source EdSurge and confirmed by Schoolzilla on their blog post: Our Commitment to Information Security. The second company was Edmodo. As reported on the Motherboard, over 77 million client records were captured and were being sold on the Dark Web (relatively secret locations on the internet where illicit activity occurs) for just over $1000. Luckily, Edmodo uses a difficult cryptology algorithm for its passwords, but it is unclear what other data might have been compromised, probably including over 40 million email addresses of students, parents and teachers.
These are just a few examples of the ways that school districts and EdTech companies have been targeted by cyber attackers. Since January 2016 (a mere two and a half years ago), there have been 370 reported incidents of security breaks at United States School Districts.
Though Oak Grove School District has not yet had an incident, the IT department remains ever vigilant to ensure that student and staff data remains secure, and the EdTech team seeks to constantly remind students and staff to use best practices with securing their accounts and passwords.
Now, before I go any further, if you work for or have a child currently or previously enrolled in Oak Grove School District, I want you to know that our IT department has been vigilant in keeping our security systems as up-to-date as we can based on current industry standards so that we can protect student and employee data. To date, I do not personally know of any malicious infiltration that has ever occurred within our systems. We also have started about three years ago a diligent effort to ensure that the education-as-service providers we use also protect student data to current industry standards - you can read about this effort and teachers' responsibilities in this effort in our blog post Student Data Privacy and Safety.
The FBI notice refers to a number of school districts in Iowa, Texas and Montana that were ransomed by cyber attackers in late 2017. The attackers stole personal information on students, families, and staff and then threatened to release the data unless payment from the district was received. In the process of making these threats they also threatened physical harm, and shamed and bullied students and parents through personal email, phone texts, and Facebook posts. This was announced by the United States Department of Education on October 16, 2017, titled ALERT! - CyberAdvisory - New Type of Cyber Extortion/Threat (the announcement has links to two news articles about the incidents).
Also mentioned in the FBI notice are two large EdTech companies, most likely Schoolzilla and Edmodo. In April of 2017, Schoolzilla was the subject of a white-hat hacker (someone who identifies weaknesses in a computer system and notifies the company about the vulnerability rather than exploiting it). This was reported in the online news source EdSurge and confirmed by Schoolzilla on their blog post: Our Commitment to Information Security. The second company was Edmodo. As reported on the Motherboard, over 77 million client records were captured and were being sold on the Dark Web (relatively secret locations on the internet where illicit activity occurs) for just over $1000. Luckily, Edmodo uses a difficult cryptology algorithm for its passwords, but it is unclear what other data might have been compromised, probably including over 40 million email addresses of students, parents and teachers.
These are just a few examples of the ways that school districts and EdTech companies have been targeted by cyber attackers. Since January 2016 (a mere two and a half years ago), there have been 370 reported incidents of security breaks at United States School Districts.
Though Oak Grove School District has not yet had an incident, the IT department remains ever vigilant to ensure that student and staff data remains secure, and the EdTech team seeks to constantly remind students and staff to use best practices with securing their accounts and passwords.