NBC News, an American broadcaster has published a report on the data theft of millions of school children and how it can set up a child for a lifetime of potential identity theft. The data includes medical condition, family financial status, Social Security numbers, and birth dates of school children.
According to the NBC report, threat actors posted the excel sheet titled “Basic student information”, maintained by one of the schools on the dark web after they refused to pay the ransom, as instructed by the FBI.
“It lists students by name and includes entries for their date of birth, race, Social Security number, and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged, and if they’ve been flagged as potentially dyslexic,” states the NBC report.
When NBC News contacted some of the targeted schools regarding the data leak, they were unaware of the problem. “I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed. And I don’t think people have a good handle on how large that exposure is,” said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats.
The recent surge in ransomware attacks has aggravated the problem, as those hackers often release victims’ files on their websites if they refuse to pay the ransom. While the average person may not know where to find such sites, criminal hackers can find them easily. In 2021 only, hackers released data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
The situation is complicated by the fact that many schools are unaware of all the information that’s stored on all their computers, and therefore do not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was targeted in a ransomware attack in June, it notified parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email.
But the NBC News’ investigation uncovered the truth when it discovered the audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced-price meals. When contacted for comment on the audit, Simpson did not respond.
Another tactic employed by the attackers is to target a third party that holds students’ data. In May 2021, attackers published files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that was in the collaboration with 11 regional high schools. The leaked data included hundreds of high schoolers’ report cards from the last school year, all of which are currently visible on the dark web.
“We are aware of the incident and are investigating it. We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible,” Allison Overholt, a spokesperson for Apollo, said in an email.
American parents are quickly releasing that addressing these problems may fall to them. Due to the poor knowledge regarding the data stored on their computers, schools may not even know if they have been hacked or if those hackers have released students’ information on the dark web. Federal and state laws for student information often do not issue clear guidance for what to do if a school is hacked, Levin said.
Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft, is advising parents to freeze their children’s credit to keep them safe from identity theft. “We should for all intents and purposes believe that for the most part, all of our data’s been compromised. We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen,” Velasquez said.
Freezing a child’s credit can often be time-consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experian, Equifax, and TransUnion. But it has become an essential step for digital safety, Velasquez said.
“We encourage parents to freeze children’s’ credit. From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free,” she concluded.