The majority of people do not use bank passwords. As of the present, just a small percentage of people have credit ratings. Even now, portions of the internet are swamped with millions of kids’ personal information.
Ransomware attacks have wreaked havoc on businesses and institutions, exposing personal information on everyone from hospital patients to police officers. It has also affected school districts, with information from thousands of schools being exposed to hackers’ websites.
Some of the schools approached about the leaks seemed utterly unaware of the problem. Even though schools can resume operations after an assault, parents have limited recourse when their children’s information is released.
Some of the data is personal, such as medical difficulties or family financial situations. Other data such as Social Security numbers or birthdays act as permanent markers of who individuals are, and their theft can set them up for a lifetime of identity theft.
According to K12 Security Information Exchange, a charity dedicated to assisting schools safeguard against cyberthreats, public school systems are even less prepared to protect children’s data from dedicated criminal hackers than many private sector firms.
“I believe it’s pretty clear right now that they’re not paying enough attention to how to keep data secure,” the organization’s president stated. “I suppose everyone is unsure what to do if it is discovered.” “And I don’t believe people comprehend the magnitude of that exposure.”
The situation is deteriorating.
For more than ten years, academic institutions have been a common target for hackers who steal people’s data, which they usually bundle and sell to identity thieves, according to experts. However, no clear legal mandate exists for what schools should do if hackers access their student’s personal information.
The recent emergence of ransomware has compounded the situation, as hackers frequently publish victims’ files on their websites if they do not pay the ransom. Criminal hackers can easily find such sites even if the average person has no idea where to seek them.
Scammers may move quickly after receiving the information. A parent stated that someone who had their child’s information tried to get a credit card and a vehicle loan under their elementary school-aged son’s name a few months after ransomware hackers targeted Toledo Public Schools in Ohio.
In December, when hackers gained access to the Weslaco Independent School District near Texas’ southern border, staff members acted quickly to warn nearly 48,000 parents and guardians. They did not pay the hackers as the FBI instructed and instead restored their system using backups they had saved for such a situation.
Upset by Weslaco’s refusal to pay, the hackers published the stolen materials to their website. One of them, an Excel spreadsheet named “Basic student information” that has a list of over 16,000 pupils, about the combined student population of Weslaco’s 20 schools last year, is still available online. It displays students by name and contains information such as their birthdate, race, Social Security, gender, and whether they’re an immigrant, homeless, economically disadvantaged, or have been identified as perhaps dyslexic.
According to Carlos Martinez, executive director of technology, the district’s cyber insurance covered the cost of free credit monitoring for employees. However, the protections for students whose personal information was maintained by their school and then exposed by hackers are unclear. The Weslaco school system is still figuring out what to do, if anything, for the pupils whose information was revealed nine months later, Martinez said.
“Right now, we have attorneys looking into it,” he said.
The impact is unknown.
Ransomware hackers are primarily motivated by financial gain and seek out easy targets. That means the information hackers post online is frequently a jumble of dispersed files they were able to scrounge, and even the school districts may be unaware of what has been taken and revealed.
The situation is worsened by the fact that many schools are unaware of the information kept on their computers and the breadth of the data acquired by hackers. When the Lancaster Independent School District in Dallas was targeted by ransomware in June, it notified parents. Still, it claimed the investigation “has not established that there has been any effect to personnel or student information,” according to Kimberly Simpson, the district’s chief of communications.
Further research of the files leaked due to the attack turned up an audit from 2018 that showed over 6,000 pupils as eligible for free or reduced-price meals, grouped by grade and school. Simpson did not yield a request for comment on the audit.
Students’ information is sometimes made public because third parties hold it. Hackers took files from the Apollo Career Center, a vocational school with 11 regional high schools in northwest Ohio, and put them online in May. Hundreds of high school students’ report cards from the previous academic year are viewable in those files.
Allison Overholt, an Apollo spokesman, said the organization was still attempting to notify students whose information had been compromised.
She stated, “We are aware of the issue and are investigating it.” “We are in the process of notifying students and other persons whose information was affected, and we will complete the notifications as quickly as feasible,” said the company.
According to Levin, schools and school districts hold a lot of data on children and often don’t have the funds to hire specialist cybersecurity experts or services.
He explained, “School districts collect a lot of sensitive data on pupils.” “Some of it has to do with the pupils. It’s partly due to their medical background. It could be related to police enforcement. It likely has something to do with shattered families. Schools have a solemn responsibility to care for children, and as a result, they collect a great deal of data.”
Taking the initiative.
Parents increasingly find that it may be up to them to solve these issues. Schools may not even be aware whether they’ve been hacked or if hackers have leaked information about their pupils on the dark web. And according to Levin, federal and state laws governing student information often do not provide clear guidance on what to do if a school is hacked.
As a result, there is little that parents and children can do to protect themselves from criminals gaining access to their personal information and using it to commit identity theft or fraud in their names. The most crucial thing they can do is put their credit on hold. At the same time, they’re still minors, according to Eva Velasquez, president of the non-profit Identity Theft Resource Center, which assists data theft victims.
Is cyber insurance up to dealing with the rising number of ransomware attacks?
“For all intents and purposes, we should believe that all of our data has been compromised,” Velasquez said. “We’ve been dealing with data breaches since 2005, and they’re everywhere. Just because you didn’t get a notice doesn’t mean it didn’t happen.”
Freezing a child’s credit can take a long time, and it requires working with each of the three major credit monitoring services, Experian, Equifax, and TransUnion. However, according to Velasquez, it has become necessary to ensure digital safety.
“We encourage parents to put a credit freeze on their children’s accounts,” she said. “In terms of preventing identity theft, this is one of the most effective and proactive measures a consumer can take. It also applies to children and is completely free.”