New research finds ‘record-breaking’ number of K-12 cyber incidents in 2020

A new report released Wednesday found that K-12 schools in the United States experienced a “record-breaking” number of cyber incidents during 2020 as classes moved online and hackers moved in on vulnerable targets in the midst of the COVID-19 pandemic.

The report, put together by the K-12 Cybersecurity Resource Center, tracked 408 cybersecurity incidents that hit K-12 institutions over the past year, an 18 percent increase from 2019 and an average of two cyberattacks per school day aimed at the nation’s education system. 

These attacks significantly affected classes during 2020, particularly as the COVID-19 pandemic forced schools to move classes online, giving hackers more opportunities to exploit vulnerabilities. 

“Due to the COVID-19 pandemic, the presentation of school cyber incidents over the course of the 2020 calendar year was atypical, testing the nimbleness of school district IT staff and operations,” the report reads. 

The most widespread cyber incidents were ransomware attacks, in which a hacker infiltrates a network and hold it for ransom, along with data breaches of student and staff personal data that included everything from bullying reports to Social Security numbers. 

Class invasions were also a significant trend, with these incidents involving a malicious actor gaining access to an online video conferencing system and disrupting it, often with inappropriate images or words. 

This trend was seen particularly at the beginning of the pandemic, and was used to interrupt classes on video conferencing platform Zoom in so many situations that the term “Zoombombing” was coined. 

The K-12 Cybersecurity Resource Center reported that the incidents were exacerbated by the quick pace of the move to online learning and the lack of investment in cybersecurity beforehand. 

“Calendar year 2020 offered a profound stress test of the resiliency and security of the K-12 educational technology ecosystem,” the report reads. “The evidence suggests that in rapidly shifting to remote learning school districts not only exposed themselves to greater cybersecurity risks but were also less able to mitigate the impact of the cyber incidents they experienced.”

“While no one can predict whether another global pandemic will close schools to in-person learning, important lessons can and should be drawn from this experience to ensure that if such an event (or something like it) occurs again in the future, districts are better prepared,” the organization concluded. 

Multiple school districts across the nation saw classes interrupted during 2020 by cyberattacks, including those in Miami-Dade County, Fla.; Baltimore County, Md.; and Fairfax County, Va.

Even before the pandemic, cyberattacks on school districts were ramping up, with Louisiana declaring a state-wide emergency in 2019 in the wake of a coordinated ransomware attack on multiple school districts. 

The Government Accountability Office (GAO), a federal watchdog agency, published findings last year that concluded that the increasing number of cyberattacks on K-12 institutions in the U.S. were putting students at risk. The GAO relied on data from the K-12 Cybersecurity Resource Center in compiling its report. 

Capitol Hill is also concentrated on the issue. The report was rolled out as part of the K-12 Cybersecurity Leadership Symposium, at which Rep. Jim Langevin (D-R.I.) said he was looking at reintroducing legislation to address cyber threats to the nation’s schools.

The legislation, previously introduced last year with Rep. Doris Matsui (D-Calif.), aimed to establish a $400 million grant program to help expand the cybersecurity workforce and improve critical infrastructure to protect K-12 institutions. 

“I can promise you this is something I am dedicated to supporting and helping to enhance the security of our schools,” Langevin said during the virtual conference.