Most do not have a bank password. Few of them still have credit scores. And yet, parts of the Internet are teeming with personal information about millions of schoolchildren.
The continuing wave of ransomware attacks have cost businesses and institutions billions of dollars and exposed personal information on everyone from hospital patients to police officers. It also scanned school districts, which means that the files of thousands of schools are currently visible on the sites of these hackers.
NBC News collected and analyzed school files from these sites and found they were littered with personal information about children. In 2021, ransomware gangs released data from more than 1,200 U.S. schools from kindergarten to grade 12, according to a tally provided to NBC News by Brett Callow, ransomware analyst at cybersecurity firm Emsisoft.
Some schools contacted about the leaks appeared to ignore the issue. And even after schools are able to resume operations following an attack, parents have little recourse when their children’s information is leaked.
Some data is personal, such as medical conditions or the financial situation of the family. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can prepare a child for potential identity theft for life.
Public school systems are even less equipped to protect student data from hackers than many private sector companies, said Doug Levin, director of the K12 Security Information Exchange, a nonprofit dedicated to helping schools protect against cyber threats.
“I think it’s pretty clear right now that they’re not paying enough attention to how to ensure data security, and I think not everyone knows what to do when it’s exposed.” , Levin said. “And I don’t think people have a good idea of the magnitude of this exhibition.”
For more than a decade, schools have been a regular target for hackers who tamper with people’s data, which they generally bundle and sell to identity thieves, experts say. But schools never had a clear legal mandate for what to do after hackers stole their students’ information.
The recent rise in ransomware has compounded the problem, because these hackers often post the victims’ files on their websites if they don’t pay. While the average person may not know where to find such sites, hackers can find them easily.
Scammers can act quickly after the information is published. In February, just months after public schools in Toledo, Ohio were hit by ransomware that posted student names and Social Security numbers online, a parent Recount WTVG-TV of Toledo that someone who had this information had started trying to take out a credit card and a car loan on behalf of his school-aged son.
In December, when hackers broke into the Weslaco Independent School District near the southern Texas border, staff members quickly alerted more than 48,000 parents and guardians to the violation. They followed the FBI’s advice not to pay the hackers and restored their system from the backups they had kept for such an emergency.
But the hackers, despised by Weslaco’s decision not to pay, dumped the files they stole from their website. One of them, still posted online, is an Excel spreadsheet titled “Basic Student Information” which contains a list of approximately 16,000 students, roughly the combined student body of the 20 schools in Weslaco last year. It lists students by name and includes entries for their date of birth, race, social security number, and gender, as well as whether they are immigrants, homeless, marked as economically disadvantaged, and have been reported as potentially dyslexic.
The district’s cyber insurance paid for free credit monitoring for staff, said Carlos Martinez, its executive director of technology. But the protections for children whose information has been stored by their school and exposed by hackers are more obscure. Nine months later, the Weslaco School District is still figuring out what to do, if anything, for students whose information has been leaked, Martinez said.
“We have lawyers looking at this right now,” he said.
Ransomware hackers are largely profit driven and tend to seek out targets of opportunity. This means that the information they post online is often a mishmash of scattered files that they may have stolen, and even school districts themselves may not know what has been taken and exposed.
The problem is exacerbated by the fact that many schools simply do not know all the information stored on all of their computers and therefore may not realize the extent of what hackers have stolen. When the Lancaster Independent School District in the Dallas area was hit with ransomware in June, it alerted parents but told them that the school’s investigation “did not confirm that there was had an impact on employee or student information, “Kimberly Simpson, district communications manager. , said in an email.
But NBC News’ investigation into the files leaked from that hack revealed a 2018 audit that listed more than 6,000 students, organized by grade and school, as eligible for free or discounted meals. Simpson did not respond to a request for comment on the audit.
Sometimes student data is exposed because it is held by third parties. In May, hackers released files they had stolen from the Apollo Career Center, a vocational school in northwest Ohio that partners with 11 regional high schools. These files include hundreds of high school report cards from the last school year, all of which are currently visible.
Apollo spokeswoman Allison Overholt said in an email that the organization is still working to notify students whose information has been leaked.
“We are aware of the incident and are investigating it,” she said. “We are in the process of providing notifications to students and others whose information was involved and will complete the notifications as soon as possible.”
Schools and school districts tend to store a lot of data on children, and often they don’t have the money to pay for dedicated cybersecurity experts or services, Levin said.
“School districts collect a lot of sensitive data about students,” he said. “Part of it concerns its students. Part of it concerns their medical history. It may have to do with law enforcement. It may have to do with broken houses. It is a solemn responsibility that schools have to look after children, so they collect a lot of data with that. “
To take part
Parents quickly learn that solving these problems can be up to them. Schools may not even know if they have been hacked or if these hackers have published information about students on the dark web. And federal and state student information laws often don’t give clear guidelines on what to do if a school is hacked, Levin said.
This leaves parents and children with little they can do to protect themselves against the possibility of criminals accessing and using their personal information to commit identity theft or fraud on their behalf. The most important thing they can do is freeze their credit while they’re still minors, said Eva Velasquez, president of the nonprofit Identity Theft Resource Center, which helps victims of data theft. .
“We should for all intents and purposes believe that for the most part all of our data has been compromised,” Velasquez said. “We’ve been dealing with data breaches since 2005, and they’re absolutely pervasive, and just because you haven’t received notification doesn’t mean it hasn’t happened. “
Freezing a child’s credit can be time consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experiential, Equifax and TransUnion. But it has become an essential step for digital security, said Velasquez.
“We encourage parents to freeze child credit,” she said. “From an identity theft perspective, this is one of the most robust and proactive steps a consumer can take to minimize risk. And that applies to children, and it’s free.