Hackers Smell Blood As Schools Grapple With Virtual Instruction

Goolsby Elementary School second-grader Ella Dweck (left) is tutored by College of Southern Nevada student Jordyn Leal as she takes an online class during the first week of distance learning for the Clark County School District in August. The district was recently the target of hackers.

Photo: Ethan Miller/Getty Images

Jeff Pelzel knew something was wrong when he arrived at his office on Sept. 14 and saw no new emails in his inbox. “That never happens,” said Mr. Pelzel, the superintendent of the Newhall School District in Southern California.

Mr. Pelzel asked his information-technology specialist whether the district’s email system was down. Within minutes, he said, an assistant responded with bad news: Hackers had crippled the district’s computer network.

The ransomware attack forced the district to reboot its networks and cancel five days of virtual instruction for roughly 6,000 elementary school students, Mr. Pelzel said. A month later, a joint investigation with an outside forensics firm continues, he said, underscoring the havoc that hackers have wreaked on some districts’ networks during the coronavirus pandemic.

“We’re a little district,” Mr. Pelzel said, adding that the district near Los Angeles doesn’t have a cybersecurity staff dedicated to countering attackers. “This is what these people do for a living.”

Many K-12 schools that recently returned to virtual instruction handed out devices to students and teachers while trying to prevent computer networks from crumpling under a surge in use. Now, as this unique school year unfolds, attackers are circling.

They have ranged from students, such as a Miami high-schooler recently arrested for allegedly overloading his district’s systems with a denial-of-service attack, to professional hackers demanding money. The increase in data breaches, ransomware and phishing attacks is disrupting classes from New York to California for as long as a week at a time as schools’ overburdened tech staffs, many without dedicated cyber experts, try to keep up.

After the Las Vegas-area Clark County School District, a 320,000-student system, didn’t pay ransom to hackers, they dumped the Social Security numbers of district employees online last month. After a similar attack in September on Fairfax County Public Schools in Virginia, a local teachers union is still seeking answers about which of its members’ data was compromised, according to an Oct. 10 email from the union to district officials viewed by WSJ Pro Cybersecurity.

At least 289 districts across the U.S. have suffered cyber incidents such as hacks this year, according to Doug Levin, who runs Arlington, Va.-based consulting firm EdTech Strategies LLC.

The number of publicly reported attacks jumped in August and September following a lull during the early months of the coronavirus pandemic, Mr. Levin said.

“The start of this school year has come in like a lion,” he said, noting that many districts don’t report cyber incidents. “It is far, far worse than what is actually displayed.”

For some students like Danny Rubin, a senior at Yorktown High School north of Manhattan in New York’s Hudson Valley, the threat of a cyberattack is a depressing addition to a school year marked by health fears, at-home gym classes and remote college visits.

“This is what it’s come to: The world ended and people are now hacking into schools,” said Mr. Rubin, whose school temporarily shifted from a hybrid learning model to all-remote lessons after its district shared news of a cyberattack on Oct. 12.

The ransomware attack encrypted data on the Yorktown Central School District’s networks, forcing officials to restore servers from backups and go room-to-room to reimage devices, Superintendent Ron Hattar said in an email to parents Thursday viewed by WSJ Pro Cybersecurity. The superintendent’s office didn’t respond to requests for comment.

While large districts have bolstered security in recent years as instruction has become more digital, many smaller districts don’t have chief information security officers like companies do to police their networks, said Richard Cocchiara, a former CISO for the New York City Department of Education who now works at a risk-management startup.

“They barely have a technical department,” said Mr. Cocchiara, who oversaw more than 100 employees across data and security teams for the 1.1 million-student department.

While schools can access information about threats through the Multi-State Information Sharing & Analysis Center, an intelligence-sharing group, efforts to bridge security gaps are often ad hoc.

April Mardock, for example, watches over Seattle Public Schools’ networks by day as the district’s IT operations and cybersecurity manager. By night, she swaps best practices in a 153-member Slack channel for a grass-roots group called OpsecEdu, as well as in a forum on the messaging service Discord of about three dozen K-12 cyber pros across the Pacific Northwest.

The Seattle district’s IT team is relatively robust with its 18 engineers, including the equivalent of two who focus on cybersecurity full time, but expanding the district’s networks to cover 53,000 student devices—up from roughly 6,000 before the pandemic—has left the team scrambling, Ms. Mardock said.

“The opponent is fighting with cluster bombs and we are fighting with muskets and slingshots,” Ms. Mardock said of K-12 cybersecurity generally.

Virtual mischief also expands the workload. At the Beaverton School District, which serves more than 41,000 students in the Portland, Ore., area, Information Security Architect Nathan McNulty said he has been tasked with investigating some students’ bad behavior online such as name-calling in private chats. Previously handled by teachers or principals’ offices, the disciplinary work takes Mr. McNulty, the district’s lone security specialist, away from scanning networks for vulnerabilities and from patching software.

Mr. McNulty, who sits within the broader IT department, said building out a larger cybersecurity team could be difficult given budget constraints. “To pay for my position, we have one less teacher,” he said.

Some lawmakers in Washington appear to have noticed. Reps. Doris Matsui (D., Calif.) and Jim Langevin (D., R.I.) on Friday introduced a bill to shore up K-12 cybersecurity by tracking incidents at the federal level and creating a $400 million grant program for schools.

At the Newhall School District, a four-person tech team is still working to restore certain data as teachers settle back into virtual classes. “This is a marathon,” said Mr. Pelzel, declining to discuss any potential demands by the attackers. “Who would have thought that we would be wanting to return to ‘normal’—‘normal’ being online learning?”

Write to David Uberti at david.uberti@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8