Keeping K-12 Cybersecure–the newsletter of the K-12 Cybersecurity Resource Center–curates the best cybersecurity and privacy news for K-12 policymakers, administrators, IT professionals, vendors, and privacy advocates. The latest edition (“We Take Your Privacy and Security Seriously ?“) provides information on recent updates to the K-12 Cyber Incident Map, other additions to the Resource Center, and curated news you can use.
Here’s your reading list for articles published during the last two weeks of February 2019:
- That email from your principal or superintendent requesting you purchase a gift card? A scam. What you need to know: the Nigerian criminal group behind the effort, which calls itself Scarlet Widow, is targeting U.S. K-12 schools and non-profits. Among its targets, experts count “dozens of small-town schools and school districts in Indiana and Wisconsin.”
- According to this report, many North Dakota schools don’t have a plan to defend against cyberattacks. I’d hazard a guess that schools in other states – by and large – aren’t in a better place. To help remedy that issue, state legislators are considering their options (e.g., by mandating a uniform approach to cybersecurity for public entities).
- Speaking of state legislative action, in Texas there is movement to mandate new cybersecurity incident reporting requirements on school districts. While the text of the House bill isn’t yet available, what appears to be a companion bill has been introduced in the Senate by Senator Nelson as SB 820.
- Three years ago, a Pennsylvania high school student was alleged to have spent $20 to launch a denial-of-service attack against local area schools. Today, she is still embroiled in a legal case to defend herself against two felony counts for the unlawful use of a communication device to disrupt computer functions (“Judge rejects claim by attorneys for former Franklin Regional student charged in cyberattack“). The former student recently lost a motion to exclude evidence in her case, claiming police improperly accessed her personal Google account, which she used at the school. The judge ruled that the search and seizure of her internet browsing history was supported by reasonable suspicion and the fact that she “abandoned any particular privacy interest she may have had in the information stored on her Google account by having it set to automatically log in.” The defendant remains free on a $10,000 unsecured bond. A date for her trial has not been scheduled. (In related news, the operator of the DDoS-for-hire service – Betabooter – allegedly used in this case just plead guilty to charges brought by the US Department of Justice.)
- In a story that made national headlines, a former Virginia high school teacher was sentenced to nearly three years in prison for hacking into the private digital accounts of celebrities and others. Of note, court documents say he admitted hacking or trying to hack accounts of current and former teachers and students at his high school.
- From Canada comes a story about the troubled rollout of a learning management system (“Stouffville parents fear potential breach, want kids’ information off education app“). At issue, a parent (who happens to be the CEO of a cyber risk consulting firm) identified security issues that were not addressed to his satisfaction.
- Stop saying, ‘We take your privacy and security seriously.’ Amen.
Be sure to check out the full newsletter and sign-up to ensure you get all the latest news direct to your inbox. And, as always, please contact us with any feedback, tips, or suggestions.