The messages were chilling, and believable enough to force the Johnston School District in Iowa to close a school in 2017.
“Your child still looks so innocent,” one text sent to parent read, according the Des Moines Register. “Don’t have anyone look outside….I’m just getting started.” The messages went on to threaten the release of intimate data about school children unless the hackers’ ransom demands were met.
Similar incidents happened at schools in four states around the country.
When cybercriminals half-way around the world can force districts to close schools by sending a couple of carefully-crafted text messages, it’s time to pay attention to the problem.
Data thieves are always looking for new ways to turn stolen data into cash — particularly as bank countermeasures have made traditional methods, like account hijacking or credit card cloning, increasingly difficult. One example is last year’s crush of sextortion emails, which alarmed targeted victims because threatening emails included “real” passwords stolen in previous data heists.
In an alarming new trend, some hackers are using a similar strategy to attack children and school districts — right at a time when the amount of data collected by schools is exploding, leaving many districts increasingly exposed. The FBI recently issued a warning about all this, and I wrote about it for IBM’s SecurityIntelligence blog. Click here to read the entire piece. Here’s a quick excerpt.
Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.
The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News
It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.
While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.
“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.