Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Student Data. Show all posts

Rising Cybersecurity Threats: Ransomware Attacks Disrupt Tucson and Nantucket Schools

 

The Tucson Unified School District in Arizona and Nantucket Public Schools in Massachusetts, despite stark contrasts in size and location, both experienced ransomware attacks in early 2023. Tucson, serving around 42,000 students, operates within a major city, while Nantucket's district, with fewer than 2,000 students, is situated on a small island. 

On January 30 and 31, both districts were struck by cybercriminals using ransomware—a form of malware that locks access to critical systems until a ransom is paid. These attacks forced Nantucket schools to close and compromised sensitive data in Tucson.

According to K12 SIX, a nonprofit dedicated to cybersecurity in schools, ransomware incidents within K-12 education have surged in recent years, with around 325 attacks reported between April 2016 and November 2022. In the past year alone, nearly 85 additional incidents have targeted school networks. Data reveals that some districts have even faced ransomware multiple times within this period.

Roberto Rodriguez from the U.S. Department of Education estimates that five cybersecurity incidents hit K-12 schools every week, causing legal, financial, and operational disruptions, as well as emotional impacts on school communities. Experts also note that attacks often involve international criminals, raising national security concerns.

Amy McLaughlin of the Consortium for School Networking (CoSN) explains that K-12 schools are vulnerable because of inadequate cybersecurity resources despite holding extensive digital information, including personal and financial data. She emphasizes that these incidents are not just attacks on individual schools but on the fundamental concept of free public education in the United States.

New extortion tactics, such as dual or triple extortion, compound the issue. Here, criminals not only encrypt data but also threaten to release sensitive information publicly. This heightens risks for identity theft and other types of fraud affecting students, staff, and their families.

These escalating cyber threats have underscored the need for stronger cybersecurity protocols within K-12 education. Doug Levin of K12 SIX notes that the lack of preventive measures, like multifactor authentication, has left schools more exposed to cybercriminals, who primarily target schools for financial gain.

Appscook Data Breach: App Used by Hundreds of Schools Leak Children’s Data


In a recent investigation, a team of security researchers from cybersecurity firm Cybernews found that IT company Appscook – which develops applications used by more than 600 schools in India and Sri Lanka for academic management – leaked a startling quantity of private information, including birth certificates, home addresses, and images of minors.

Nearly a million confidential data were stored in a DigitalOcean storage bucket that was accessible to everybody without the need for authentication. Given that the majority of the compromised files reveal children, leaking private information online in this instance is extremely dangerous.

The stolen data included:

  • Students’ names
  • Names of parents
  • Pictures of students attending pre-primary, primary, and secondary schools
  • Names of the schools' children attend
  • Birth certificates
  • Fee receipts
  • Student report cards/exam results
  • Home addresses
  • Phone numbers

The company's 96 school-specific apps are designed to facilitate online learning and allow parents and schools to communicate directly about their child's daily activities and academic progress. Over a million parents and over half a million pupils use the platform, according to the company's website.

Cybernews attempted to contact Appscook over the issue, but did not receive any response. 

A Major Threat to Students

The data leak has raised concerns over the possible exploitation of the personal information by the cyber criminals. The disclosure of personal details, including home addresses and images, raises the unsettling possibility that unscrupulous individuals may try to coerce parents out of their children by taking advantage of their vulnerability.

According to Vincentas Baubonis, Information Security Researcher at Cybernews, “The leaked data about minors could have dire consequences, as this information can put children at physical risk by revealing their daily whereabouts. It can also be used by someone with malicious intent to impersonate school officials or manipulate children and parents.” 

Threat actors could use the compromised personal information for identity theft, fraud, and targeted phishing attacks against the parents of these children, even though children might not be as vulnerable to digital fraud as adults are.

However, in the worst-case scenario, this data breach can increase the risk of child abuse. The researcher claims that uploading photos of kids online can draw unwelcome attention, even from predators.  

Cybercriminals are Targeting Schools, They are not Ready


This March, the Minneapolis Public Schools district witnessed a major ransomware attack, losing multitudes of private information such as students’ mental health records, sexual assault incidents, suspensions and truancy reports, child abuse allegations, and special education plans, that were released online. 

In 2022, a similar incident took place in a Los Angeles school district, compromising students’ psychological records. Baltimore County Public Schools had a cyberattack in 2020 that caused the district's remote learning programs to be interrupted, its business to be frozen, and cost the school system close to $10 million. The Chambersburg Area School District in Pennsylvania was the most recent educational institution to experience a cyberattack on September 1.

School districts have grown into a frequent target for school districts across the country, where cybercrime actors are regarding school systems as easy targets, due to a lack of cybersecurity infrastructure. Although many school districts are beginning to protect that infrastructure, experts say there is still much work to be done.

Following a phishing attack in 2019, the Atlanta Public Schools district deployed a private firm to look into their networks and find loopholes and vulnerabilities, according to Olufemi “Femi” Aina, the district’s executive director of information technology. Apparently, the district has also introduced security measures including multi-factor authentication on school devices, purchased insurance that covers cybersecurity liability, and backed up important school data offsite.

Additionally, the district educates both staff and kids on cybersecurity. Faculty and staff members are sent to cybersecurity training and take part in simulated phishing exercises. Multifactor authentication configuration and difficult password selection are lessons that are taught to students. 

“If you can prevent your employees or make them more aware, so that they do not click on those harmful emails, or respond to those types of messages, it can be just as effective, if not more, than a lot of different systems that we have,” Aina said.

Compromised private information like social security numbers, student health records and disability diagnoses, can result in days or weeks of missed school and lost instructional time for students. 

The federal government is also stepping in for a solution. Jill Biden, the first lady, Miguel Cardona, the secretary of education, and Alejandro Mayorkas, the secretary of homeland security, all served as cohosts of a recent Department of Education cybersecurity summit, where the agency unveiled a number of new initiatives and provided advice for school districts on how to deal with cyberthreats and what to do in the event of an attack.

According to Kristina Ishmael, deputy director of the Office of Educational Technology, the education department intends to create a special council made up of the federal, state, local, tribal, and territorial governments to coordinate policy and communication between the government and the education sector in order to strengthen school districts' cyber defenses. She described it as the "first step" in the department's plan to safeguard educational institutions from cybersecurity dangers and support their response to assaults.

Also, Federal Communications Commission Chairwoman Jessica Rosenworcel is planning on setting up a pilot cybersecurity program, along with the FCC’s E-Rate program, which was established in the early 1990s as a way to provide affordable internet for schools and libraries. 

The three-year pilot program will offer $200 million to schools and libraries eligible for the E-Rate program in order to hire cybersecurity experts and enhancing schools’ network security.

According to CoSN’s – a K-12 tech education advocacy group – CEO Keith Kruger, groups like the Consortium Networking, or CoSN have urged the FCC to upgrade the E-Rate program to include greater cybersecurity precautions. "We've been saying this is a five-alarm fire for the last two years," he said. 

“None of that really solves the problem that only about one in three school districts has a full-time equivalent person dedicated to cybersecurity,” he said. 

According to Kruger, school districts needs to be creative in their tactics to lure cybersecurity professionals their district need. Such strategies can involve collaborating with nearby community colleges, technical colleges, or vocational institutions to offer internships to students enrolled in cybersecurity programs.  

Schools: Prime Targets for Hackers Amid Poor Cybersecurity and Ransom Payments

 

New data indicates that school districts have become highly susceptible to online exploitation, emerging as the primary target for hackers. According to a recent global survey conducted by the British cybersecurity company 

Sophos, a staggering 80% of schools experienced ransomware attacks last year, representing a significant increase from the 56% reported in 2021. This doubling of the victimization rate over two years has led researchers to label ransomware as the most significant cyber risk faced by educational institutions today.

Comparing various industries, schools fared the worst in terms of victimization rates, surpassing even sectors like healthcare, technology, financial services, and manufacturing. 

The survey, which included responses from 400 education IT professionals worldwide, revealed that United States institutions are particularly attractive targets for hacking groups, especially since the events surrounding Russia's invasion of Ukraine.

Two factors have made schools especially vulnerable to cyber threats in the United States. First, the cybersecurity measures in educational settings often lag behind those in major businesses, such as banks and technology companies. Second, schools prove to be easy targets for exploitation due to their willingness to pay ransoms. 

Last year, nearly half of the attacks on schools resulted in ransom payments, further enticing threat actors. Unfortunately, this combination of weak defenses and a readiness to pay has made schools a "double whammy" for hackers, according to Chester Wisniewski, the field chief technology officer of applied research at Sophos.

The motivation to pay ransoms seems to be influenced by insurance coverage. In districts with standalone cyber insurance, 56% of victims paid the ransom, while those with broader insurance policies covering cybersecurity saw a payment rate of 43%. Insurance companies often cover ransom demands, giving them significant sway over which districts comply with the extortion demands.

Elder, a school representative, acknowledges the difficult decisions schools face when dealing with ransomware attacks. While it is essential to safeguard confidential information and protect people, the pressure to manage resources and finances can make the choice challenging.

Ultimately, the data suggests that schools must prioritize and strengthen their cybersecurity practices to avoid falling prey to hackers and ransom demands. 

Relying on insurance alone may not provide a comprehensive solution, as hackers continue to exploit vulnerabilities, and insurance companies struggle to keep pace with evolving threats.

Otago University Students at Risk From a Security Flaw

 


The University of Otago has informed the Privacy Commissioner that a digital security breach made the personal information of the majority of its students accessible to others.

Many University of Otago students, particularly potential students, had access to their personal information without protection for six weeks. Anyone with a valid university email address had access to a sizable database that contained personal information in some files due to a technical error in a new software system.

The institution was not informed of the privacy violation until a journalist from the student publication Critic Te Ārohi informed them of it. As per the reports, 23 students or so accessed material that was not intended for them.

While the danger of harm was 'extremely minimal,' some information could have been accessed during this time, and the majority of students could anticipate hearing from a privacy officer, according to a university representative.

There were also user IDs for the staff members and bank records showing the transactions made using their business cards. A few documents, according to the representative, have been downloaded, but still, an audit had been done to make sure they had been removed.

University officials have been meticulously sifting through data to identify file accessors, the content they viewed, and any individuals whose data may have been compromised as a result. Most Otago students will be sent one or more of these data theft notice emails due to the variety of files in the system. This is due to the fact that some of the files that were viewed contained data about 2023 course enrollments or course approvals.

Stephen Willis, the chief operating officer of the university told RNZ that the office of the Privacy Commissioner was informed of the breach immediately and kept informed as the institution looked into it, he said, "We have discovered who was impacted and what data was accessed thanks to our investigation. We have convinced students that our IT security team had complete visibility into every detail of who accessed files, when, and what they were used for."

Everyone who had unlawfully accessed a file had been contacted and asked to sign a non-disclosure agreement as the University could identify who had viewed which documents.

Elasticsearch Database Mess Up Exposed Login, Leaked Personal Data of 30K Students

 

The cybersecurity investigation team at SafetyDetectives, led by Anurag Sen, discovered a misconfigured Elasticsearch server that exposed Transact Campus app data. According to their findings, the server was internet-connected and did not require a password to access data. As a result, over 1 million records were compromised, disclosing personally identifiable information for roughly 30,000 to 40,000 students. 

Transact Campus is a payment software supplier based in Phoenix, Arizona. The firm provides technology solutions for combining several payment functions into a single mobile platform. Its software solutions are primarily used to expedite payment procedures for universities and students and to facilitate student purchases at higher education establishments. 

According to the report by SafetyDetectives, the 5GB database released by the server contains information about students who had Transact Campus accounts. The majority of those affected are US citizens. The following details of students among the information were exposed: 

It should be noted that the login information, including the username and password, was saved in plain text format. The credit card information, on the other hand, includes the banking identity number, which consists of the first six and final four digits of the credit card number, bank information, and the card's expiration date. Furthermore, the bought meal plans and meal plan balances of the students were included in the hacked data. 

Transact Campus’ Response

SafetyDetectives notified Transact Campus about the exposed database in December 2021, and the corporation responded in January 2022, more than a month later. However, the incident's specifics were only revealed last week. 

During this time, researchers attempted to contact them multiple times and also alerted US-CERT, after which it was secured. Transact Campus stated that the disclosed server was not under their control and that the data was fictitious. The corrupted Elasticsearch database appeared to belong to Transact Campus, a US-based software solution company. 

Transact Campus stated, “Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.” 

However, according to SafetyDetectives, the server in issue was constantly being updated even when it was found. They examined the data using freely available technologies and discovered that it belonged to genuine persons. 

Researchers were unable to determine whether or not unauthorised third parties or malicious actors gained access to the database before it was secured. If it was accessible, hackers might target students in a variety of attacks, such as frauds, phishing, spam marketing, or even account takeover, because login credentials were saved on the server in an unencrypted form.