‘Your child looks so innocent’ — hackers using school data for scary extortion scams

Click to read my essay at IBM’s SecurityIntelligence blog.

The messages were chilling, and believable enough to force the Johnston School District in Iowa to close a school in 2017.

“Your child still looks so innocent,” one text sent to parent read, according the Des Moines Register. “Don’t have anyone look outside….I’m just getting started.” The messages went on to threaten the release of intimate data about school children unless the hackers’ ransom demands were met.

Similar incidents happened at schools in four states around the country.

When cybercriminals half-way around the world can force districts to close schools by sending a couple of carefully-crafted text messages, it’s time to pay attention to the problem.

Data thieves are always looking for new ways to turn stolen data into cash — particularly as bank countermeasures have made traditional methods, like account hijacking or credit card cloning, increasingly difficult. One example is last year’s crush of sextortion emails, which alarmed targeted victims because threatening emails included “real” passwords stolen in previous data heists.

In an alarming new trend, some hackers are using a similar strategy to attack children and school districts — right at a time when the amount of data collected by schools is exploding, leaving many districts increasingly exposed.  The FBI recently issued a warning about all this, and I wrote about it for IBM’s SecurityIntelligence blog.  Click here to read the entire piece. Here’s a quick excerpt.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

CLICK HERE to read the rest of this story

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1582 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.


  1. Last year, I was really close to committing suicide after losing about $50,000 to a romance scam by someone who pretended to be in the USA Military, he even proposed to me sent me a ring and flowers. I was so devastated but after a lot of counseling and advice from loved ones and colleague at work I decided to consult a private security Investigation and intelligence firm. I filled a form and provided them with some extra information and within 2 weeks they were able to track down the person behind the account, we reported him to the local police in Malaysia and the were able to make and arrest, and recover some of my money back. you can contact the recovery firm via mail info(at)wealthrecoveryint(dot)com

    • Please are you sure of this? i would give it a try. i have lost so much to a nigerian scammer and i don’t know how possible it is for them to track this scums.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.