As Cyberscurity Awareness Month kicks off, the consequences of a cyber attack are playing out in America's heartland. Three schools in Iowa and Nebraska have canceled classes and have increased security due to graphic and violent content being emailed or texted to parents of students within the school districts.
The threats to parents in Johnston, Iowa, a district right outside of Des Moines began last Monday night and forced district leaders to cancel classes the following day. The group “Dark Overlords” has taken credit for the hack, and posted the complete directory of school information online, including student names, addresses and phone numbers. The group “Dark Overlords” has been linked to extortion attacks on Netflix, healthcare providers, and have now turned their attention to several school districts.
Iowa State University cybersecurity expert Doug Jacobson told WHO TV that,“it’s very complex how all these things interact, and attackers use that complexity to their benefit.”
Meanwhile, just across the border in Nebraska, the city of Plattsmouth has closed its schools for the same reason. Omaha received word that a string of text messages were posted on social media threatening violence to a school. Omaha Public Schools later declared that these texts were a hoax, after working with the Omaha Police Department. Still, the district provided increased security for students.
Rob Dickson, Executive Director of Omaha Public Schools understands the weight of this important issue. He stated, "As we look at our systems, this includes student information systems such as Infinite Campus, it is important for districts to communicate to each other as these incidents happen. Proactive planning versus reacting is an important step in the process. We can learn much from each other in practice and policy to ensure student data privacy stays on the forefront. At Omaha Public Schools, we incorporate ongoing processes both internally and with a third party that contributes to the effectiveness of our data security practices. As districts transport and present data into the cloud, this can present some challenges as large providers such as Sony, Yahoo, etc. have breaches. If districts can partner together we can become more effective in ensuring the use and protection of this important data."
In a day where software applications exist to keep anonymity thriving, there are numerous ways to obtain cell phone numbers that are live for only a time, and ones that hide cell phone numbers all together. Federal mobile forensics are combing through the data, but even with their help, and a group has publicly claimed responsibility for the attack, the actual attackers may never be found.
In the wake of an already tough week with yet another tragedy striking in Las Vegas, it gets harder to sift fact from fiction. Who is talk and who is action, and most importantly, are school districts prepared to handle situations such as these?
It seems nearly impossible that the information obtained from attackers was not hacked. The attackers had names of parents, students and cell phone numbers. Although it has not been confirmed, some members in the community are strongly speculating that the data was stolen from the district communications system.
Even if it’s not true, the district will still be dealing with a very serious public relations situation. In the wake of any uncertainty, district leaders must still be prepared to calm the fears and nerves of concerned parents and students.
It’s no longer uncommon for a district to have a legal plan in place when data is breached, but the new area of concern comes from messaging the situation to the public. As more breaches happen across the country, the public becomes more upset. Community members were just told that one breach gave attackers their personal information, and then only weeks later, the data of their children has been exposed as well. District leaders are now working with a public that is almost constantly (and rightly so) on the edge about their personal information.
There are two things that really stand out in this situation. First, social media did not help the situation. Once screenshots of text threads hit social media sites, the situation was exacerbated. As districts consider ways to keep students safe, employing a social media specialist for the district is becoming more and more common. Having a first responder for incidents such as this, is key to getting the situation under control. The rumor mill is strong, and having someone on staff whose main responsibility is to manage social media for the district can help mitigate situations and ensure that there is always one place to go for the facts. This is also important because almost inevitably a “copycat” will soon follow.
The second takeaway is that these incidents involved both cybersecurity and physical security. The two are often separated as districts consider how to keep students, staff and parents safe. In this incident, a likely data breach turned into a physical security threat, as the exposed personal data increased the need for physical security at the school.
As technology weaves more areas of life together, districts must be certain that a plan of action is in place for legal reasons, but also a plan that takes into consideration every implication of a breach, including how data security can impact needs for physical school security.