K-12 Cybersecurity 2018 Year in Review
Part III: Cybersecurity Incidents: 2018
During calendar year 2018, the K-12 Cyber Incident Map cataloged 122 publicly-disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states. (Two school districts were reported to have experienced more than one cybersecurity incident during 2018.) This equates to a rate of about one new publicly-reported incident every three days of the calendar year, a statistic consistent with overall trends observed by the K-12 Cyber Incident Map since 2016.
A timeline of local TV news reports covering the ‘Top 10’ incidents of 2018 help portray both the variety and real-world impact of K-12 cyber incidents.
The ‘Top 10’ K-12 Cyber Incidents of 2018
Given how different the technological constraints and needs of K-12 schools are as compared to other types of organizations – to say nothing of the uniquely sensitive data they collect and process – what do we know about the actual risks and threats they may be facing? With limited expertise and resources, how should cybersecurity professionals advise schools to respond? Data assembled for the K-12 Cyber Incident Map are instructive. 
The most frequently experienced type of K-12 cyber incident reported during 2018 were data breaches, primarily meeting one of the following four profiles:
- Unauthorized disclosures of data by current and former K-12 staff, primarily—but not exclusively—due to human error;
- Unauthorized disclosures of K-12 data held by vendors/partners with a relationship to a school district;
- Unauthorized access to data by K-12 students, often out of curiosity or a desire to modify school records (including grades, attendance records, or financial account balances); or,
- Unauthorized access to data by unknown external actors, often for malicious purposes.
Just over half of all digital data breach incidents experienced by K-12 schools in 2018 were directly carried out or caused by members of the affected school community (i.e., insiders), whether by staff or students. Incidents involving unauthorized student access to school IT systems raise particularly difficult questions about how school districts and law enforcement should respond, as well as about the sufficiency of the cybersecurity practices of districts who find themselves – in some cases – significantly compromised by their own middle and high school students.  This issue was highlighted this year by an original report of a student-initiated cybersecurity incident in the Rochester Community School District by the K-12 Cybersecurity Resource Center.
Another 23 percent of data breach incidents reported on the K-12 Cyber Incident Map were the result of a loss of control of K-12 data by school vendors or partners. While such incidents might be addressed through clearer cybersecurity standards for school vendors and better school contracting practices,  several incidents in 2018 suggest the issue is more complicated. Partner organizations to school districts – regional service agencies, non-profits, associations, and even state departments of education – with whom student and school staff data are entrusted were among those that experienced data breaches in 2018 (and even then it was sometimes due to the actions of their vendors). 
The remaining 23 percent of data breach incidents were carried out by unknown actors, often external to the school community and for malicious purposes (such as identity theft). Especially for school districts without sufficient baseline cybersecurity controls, retrospective attribution of cyber incidents can be difficult.
Student data were included in more than 60 percent of K-12 data breaches in 2018, which should be a cause for concern. First, federal and state student data privacy legislation is intended to reduce the incidence and severity of student data breaches , although data assembled for the K-12 Cyber Incident Map raises questions as to how effective those policy regimes are working in practice. Second, security researchers have documented dark web marketplaces advertising the stolen personal information of children for use by identity thieves.  Indeed, student data breaches can have serious and long-lasting consequences.
Data about school district staff have also been regularly implicated in K-12 cyber incidents. During 2018, 46 percent of all K-12 digital data breaches included data about current and former school staff (such as payroll or other personnel records). In some cases, this has led to payroll theft, identity theft, and the filing of false tax returns of educators and other school district staff.
Phishing attacks—the vast majority of which are carried out over email—were also commonly experienced by school districts. In many cases, these attacks were the method of choice that malicious third-parties employed to gain access to sensitive data systems or to deliver and propagate malware on school networks. While some of the phishing attacks experienced by schools were the result of relatively unsophisticated bulk email campaigns , school districts also found themselves specifically targeted by criminal actors.
Perhaps most concerning in 2018 were a number of successful phishing attacks targeted at school district business officials. These scams—designed to redirect large payments from legitimate school contractors/partners to criminal accounts—resulted in the theft of hundreds of thousands or even millions of tax payer dollars. The largest ever such theft recorded on the K-12 Cyber Incident Map occurred in 2018 and totaled approximately $2 million dollars in losses by a Texas district. Other large dollar incidents of K-12 cybercrime in 2018 ranged from $300,000 to a high of $988,000 (affecting school districts in Idaho, Louisiana, New Jersey, and Texas).  On a positive note, likely due to the success of law enforcement in prosecuting individuals who targeted school district business officials in prior years, successful attempts at W-2 tax fraud via phishing attacks against school business officials appear to have diminished in 2018.  The K-12 Cyber Incident Map only reported three such incidents during the year (experienced by districts in Alabama, Texas, and Washington).
Responding to ransomware and other malware outbreaks—representing over 15 percent of all K-12 cyber incidents in 2018—was another commonly experienced challenge, as it has been in recent years. The impact of such incidents varied, but frequently involved significant costs and lost time in restoring IT systems, lost data, communications services, and student/teacher devices. In some cases, IT outages caused by malware on school technology systems extended for weeks.  In the most extreme cases, school districts were not able to restore their systems from backups and instead made the controversial choice to pay the extortion demands of criminals to regain access to their systems (as districts in Massachusetts and Michigan did in 2018).
Not all cyber incidents perpetrated against K-12 schools are concerned with school-managed personal data or financial accounts. Two other common cybersecurity-related issues affecting K-12 institutions include denial-of-service attacks and website/social media defacement. While only 10 percent of 2018 incidents reported on the K-12 Cyber Incident Map are categorized as denial-of-service (or DDoS) attacks, anecdotal reporting suggests such incidents are much more common. It may be that public reports of education specific denial-of-service attacks are only made when disruptions are atypically significant, for instance, due to their persistence or due to the affected applications/services (such as state testing or school communications services). Short-term disruptions due to DDoS attacks may instead be chalked up by users to insufficient school technology infrastructure and/or networks.
School-managed social media and website defacement—representing about 5 percent of incidents experienced by school districts in 2018—is a class of cyber incidents particularly troubling for public institutions charged with serving children. These attacks abuse official communication channels to deliver unauthorized messages or to automatically redirect users from trusted school-managed sites to third-party sites.  Most often (but not always) due to a loss of control of passwords of school-managed accounts, individuals internal and external to school communities have compromised the online communication platforms of schools to advance geopolitical propaganda, deliver hateful messages, taunt school leaders and educators, threaten violence, and otherwise disrupt school operations.
 Interacting with the figure on this page will reveal greater details about the characteristics of publicly-disclosed K-12 cyber incidents that were reported during calendar year 2018.
 See, e.g., “Student Hackings Highlight Weak K-12 Cybersecurity.”
 See, e.g., “How to Assess a Vendor’s Data Security.”
 See, e.g., “Officials: Student Info Breached In Bemus Point,” “San Diego County Office of Education notifies component school districts of breach of employee retirement contribution data,” “Mississippi student data accessed in testing-vendor breach,” and “NY Education Department announces data breach by outside assessment vendor.”
 For recent reviews of federal and state student data privacy legislation, see the Parent Coalition for Student Privacy/The Network for Publication Education’s “The State Student Privacy Report Card,” Data Quality Campaign’s “2018 State Legislation Update: New Laws Reflect Value of Data” and “Education Data Legislation Review: 2017 State Activity,” and the Center for Democracy and Technology’s “State Student Privacy Law Compendium (2016).” Other student data privacy campaigns are operated by the the Electronic Privacy Information Center (EPIC), Electronic Frontier Foundation (EFF), and the Future of Privacy Forum (FPF) among others.
 See, e.g., “Children’s Personal Data and SSNs Are Being Sold on the Dark Web” and “Sowing the Seeds of U.S. Cyber Talent: Leveraging K-12 Cyber-Education to Develop the Cyber-Workforce and Improve National Security.”
 See, e.g., “A new gift card email scam just in time for the holidays,” which did not discriminate in including school-based emails among its targets (“Check Email Addresses Closely, Police Say“).
 Sample media reports of successful large dollar phishing scams against schools during 2018 include: “Reports: Galloway Schools Scammed for $300k in Cyber Theft,” “Henderson ISD falls victim to fraud scheme ($600,000),” “School district loses three quarters of a million to fraud,” “Caddo Schools scammed out of nearly $1 million,” “Florida man bought BMW, Rolexes after defrauding Tarrant County school district out of $2M, feds say.”