When Hackers Come for America’s Schools
Michael Klein spent nearly two decades in K–12 education—as a teacher, district leader, and federal cyber policy official at the US Department of Education—watching hackers take down school networks, steal children’s most sensitive secrets, and walk away unpunished. Now Senior Director for Preparedness and Response at the Institute for Security and Technology, he’s still sounding the alarm.
Schools are sitting on mountains of data about children that are poorly protected. You watched many cyberattacks unfold in front of you, when did this threat stop being theoretical for you?
I was running a school district as an IT director. And at that point I came to an understanding what kind of sensitive data we have access to. I did a scan of ‘have I been pwned’ for all of the times that school district accounts showed up in those places and realized: people can get in very easily to these systems. And then especially when the pandemic hit and we went to virtual learning, we saw a lot more attacks coming.
The pandemic was something of a watershed moment for cybercrime. Was it for schools?
Absolutely. It provided almost ubiquitous access to devices and internet at home and at school for students and staff, which was not common in every district. My school district did not have one-to-one devices—only our high school had that. When the pandemic hit, we literally needed to go into the carts, strip the carts, wipe the computers down, reimage all the computers, send a survey home to parents to figure out who has a device at home. There were multiple considerations: families with five kids, do we give them two devices? We were in a low-income district where we didn’t even have enough machines to give to kids. And as with many organizations, school districts tend to prioritize operational effectiveness over security. The fact that you couldn’t run class was unacceptable. The fact that you had to secure all of the things on the network was secondary.
“If you take down a school district with 500,000 children in it, you’re stopping all those parents from going to work. You’re stopping a huge part of the economy.”
Which incidents have been defining for the education sector?
There are two that bookend my time at the Department of Education. The first is the LA Unified School District ransomware attack in the fall of 2022—an attack that happened over Labor Day weekend and tried to take down the second largest school district in the country. That led to a response from federal agencies. If you take down a school district with 500,000 children in it, you’re stopping all those parents from going to work. You’re stopping a huge part of the economy. The second was the PowerSchool incident—right at the end of my time at the department. A student information system serving about a third of school districts in the country, 4,000 districts. It contains the most sensitive information about students: dates of birth, sometimes social security numbers, custody arrangements, where their parents live. A 19-year-old from Massachusetts with just a username and password was able to log in to an administrative account and exfiltrate the data of tens of millions of American children.
What does it actually look like on the ground when a school is hacked?
It’s basically chaos. Internet and phones go down. The ability of parents to find out what’s happening is not there. You end up asking: who can pick these children up from school? Because if you can’t access the databases that tell you who is legally allowed to pick this child up, you now have a problem. If we put them on a bus, does the bus system connect back to that—and now we don’t know where to drop them? Do we know who gets free lunch, or do we just give free lunch to everybody because we don’t have a way of knowing which kid is supposed to pay? And that’s before even thinking about the fact that teaching and learning just stops. People are using technology to do the day-to-day teaching of their classes. There aren’t necessarily backup plans.
The problem with proportionate response to these attacks is that data breaches feel abstract to people. Children’s records stolen— so what?
The first piece is it opens you up to a life of cyber-enabled fraud, credit card accounts or lines of credit opened in your name. Then there’s individual-level extortion: if they don’t get paid by the organization, they reach out to individuals. But the most important harms are the ones we don’t often think about—things like self-harm for students, the feelings of exposure that might lead them to harm themselves. Or they might become targets of physical violence, depending on what the sensitive data is and how physically close the people are to them. The Navigate 360 incident is the clearest example. That was a cyber tip line used not just by the FBI but by many school districts—a way for students to put in what were supposed to be anonymous tips about threats of violence, self-harm. That data was breached. This opens people who reported in the database to harm.
“Cybercrime tends to go to places where it can make the most money and where criminals have a safe haven.”
Ransomware gangs do not shy away from hitting critical organizations and public services. Do they think twice about going after children?
I can’t think of any organizations that I know that have purposefully avoided schools. Cybercrime tends to go to places where it can make the most money and where criminals have a safe haven. Education is not given the same level of pushback as, say, health care systems—because it is seen as cybercrime, not national security. It tends not to be loss of life in most cases. Schools are generally considered open for business in terms of cybercrime. That is not great.
Schools are often defined as "target rich, cyber poor". Why does the resource gap still exist? Schools know they are targets.
We have 14,000 school districts in the United States. Seventy percent of them are very small—2,500 students or fewer. Many have no dedicated IT staff, let alone a dedicated cybersecurity person. The vast majority of funding for schools comes from property taxes in that locality, and most states do not have a strong redistributive mechanism. There was a push from previous administrations for significantly more federal support. Most of that support has been significantly diminished in the last year. The capacity that had been built, that was going in the right direction, has been reversed.
What’s the human cost that never makes it into the incident report?
One thing that never makes it into the mainstream is how the frequency and intensity of incidents can make it feel one of two ways—either you’re in a bunker mentality, trying to block everything, feeling overwhelmed. Or you end up saying: I literally can’t do anything about this, why am I even bothering? In the PowerSchool incident, when you’re relying on a third-party provider, you have almost no control. You did your due diligence; you went through all the steps, and then still this happens. From a student level, it just becomes an expectation: I have no privacy. All the data is just out there. But the level of real-world harm that comes from the cyber world is one that we cannot ignore.
Michael Klein, Senior Director for Preparedness and Response, Institute for Security and Technology