Cybersecurity in K-12 Education

Since PowerSchool revealed in January that it had fallen victim to a data breach, many questions remain about the impact and implications for student and staff data in school districts that use PowerSchool’s software nationwide. 

PowerSchool is expected to release a report soon based on findings from CrowdStrike, a cybersecurity company investigating the situation. Information from that report will be shared directly with PowerSchool customers, a company spokesperson told K-12 Dive in an email Jan. 17. 

The K-12 software company told K-12 Dive in January that it became aware on Dec. 28 of what it called a “potential” cybersecurity incident in which a threat actor gained unauthorized access to an unknown amount of student and staff data from its PowerSource service. PowerSource is a customer support portal for district and school staff.

The threat actor is believed to have stolen data from two tables containing family and teacher information from PowerSchool’s Student Information System database. Some of that data may include personally identifiable information like names and addresses of families and educators. In some cases, information such as Social Security numbers and medical data were also exposed.

A lack of cyberhygiene?

While PowerSchool told K-12 Dive the incident was not a ransomware attack, a news report from Bleeping Computer said the software company’s FAQ page for customers acknowledged that it paid the threat actor following the data breach. When K-12 Dive previously asked PowerSchool if the company had paid the threat actors, a spokesperson said: “We have taken all appropriate steps to prevent the data involved from further unauthorized misuse. The incident is contained and we do not anticipate the data being shared or made public.”

In a Jan. 15 webinar, national school cybersecurity nonprofit K12 Security Information eXchange invited cybersecurity experts to share reactions and next steps for school districts following the PowerSchool data breach. Doug Levin, co-founder and national director of K12 SIX, said during the webinar that any kind of payment to a threat actor via extortion imperils the education sector.

“It encourages malicious actors to continue to target us and try to extort us, either by using encryption to lock up our devices or stealing our data and trying to extort us to keep it from being leaked,” Levin said.

Levin added there’s no guarantee that any stolen data won’t be further exploited and shared even if an organization pays a bad actor not to release it on the dark web. “I think it's certainly possible that it could show up there and be released at some point in the future, or it could be used to target individual teachers and students directly via phishing or social engineering,” Levin said.

The FBI also strongly discourages victims of ransomware attacks from paying hackers for reasons similar to those Levin shared.

Speakers on the webinar also raised questions about whether PowerSchool used multifactor authentication for its PowerSource service before the data breach.

While PowerSchool’s internal systems use multifactor authentication, the infiltrated PowerSource system did not have multifactor authentication support, a company spokesperson told K-12 Dive on Jan. 17. However, PowerSchool said that has since been addressed through its remediation plan. 

Wesley Lombardo, technology director at Tennessee's Maryville City Schools, told the webinar that there’s no reason a single user should be able to access all student and teacher data from every available school district. PowerSchool’s lack of cyberhygiene is “pretty concerning,” he said.

“I feel like there were failures kind of along the way of places where they could have maybe not have stopped that initial access, but definitely as soon as the exfiltration started, [there] should have been bells and whistles and all kinds of things kind of alerting that something was amiss,” Lombardo said.

Student data privacy violations?

Since the PowerSchool data breach came to light, at least four class action lawsuits have been filed against the company.

One of these more recent class action lawsuits was filed Jan. 17 in U.S. District Court of the Eastern District of California on behalf of a parent, Shandrelle Okoni, who claims her children were impacted by the incident. The lawsuit alleges that PowerSchool was negligent during the cyberattack and that the data breach impacted over 60 million teachers and students.

Additionally, the lawsuit claims PowerSchool failed to provide timely notice to users who were affected, consequently taking away their ability to protect themselves. 

“We live in a world where these EdTech companies are an inextricable part of our kids’ school experiences. Kids don’t get to consent to using this software, and parents basically don’t have a choice about whether their kids use it,” said a statement from attorneys John Morgan and Ryan McGee of law firm Morgan & Morgan, which is representing the plaintiffs. “And yet, PowerSchool, which houses the personal information of students and teachers across North America, allegedly failed to safeguard this sensitive data, exposing the information, safety and privacy of millions of children.” 

As more details have come out, “it became clear how egregious this was in terms of the decisions that were made before the breach occurred,” said Amelia Vance, founder and president of the Public Interest Privacy Center, during the K12 SIX webinar. 

“The legal obligations here are clear, the security requirements that they were missing have been standard and are codified in multiple laws,” Vance said. 

PowerSchool is among those that have signed national ed tech data privacy pledges with the Cybersecurity and Infrastructure Security Agency, as well as the Future of Privacy Forum and the Software & Information Industry Association.

As a result of the breach, the status of PowerSchool’s pledge with the Future of Privacy Forum is “under review,” according to the Future of Privacy Forum. A final decision was expected within 30 days from Jan. 14. 

“We have been reviewing the press reports of the PowerSchool data breach and potential violations of the company’s Student Privacy Pledge commitments, with particular attention to the commitment to maintain a comprehensive security plan,” a Jan. 14 statement from Future of Privacy Forum read.

Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation, said in an email that ed tech vendors like PowerSchool are storing data for as long as they possibly can, which makes them vulnerable to having their data stolen.

“If companies like PowerSchool practiced a privacy-first approach and focused on data minimization, only collecting and storing what they absolutely need to provide the services they promise, many data breaches would be far less harmful to the victims,” Klosowski said.

Globally, the number of confirmed ransomware attacks targeting the education sector dropped from 188 in 2023 to 116 in 2024, according to data released Jan. 9 by Comparitech, a cybersecurity and online privacy product review website.

Across the four sectors analyzed by Comparitech, educational institutions — including schools and colleges — were the only group to see a decline in ransomware attacks. Still, 1.8 million records were affected by ransomware attacks in the education sector worldwide in 2024, with the average ransom demand being $847,000.

While the total number of confirmed ransomware attacks against all industries worldwide declined between 2023 and 2024, Comparitech expects 2024 figures to rise since it can take months or even years to solidify a ransomware report.

Ransomware data is often difficult to track, particularly if a school or district does not disclose or confirm the incident. 

Research tracking U.S. K-12 ransomware attacks specifically points to a general increase in incidents in recent years. In fact, the number of K-12 ransomware attacks ballooned 393% between 2016 and 2022, from 14 to 69, according to data from national nonprofit K12 Security Information eXchange. Between November 2022 and October 2024, K-12 SIX reported another 85 incidents targeting K-12 public schools. 

Additionally, there are no nationwide reporting standards for school systems impacted by cyberattacks. While a federal rule is currently being finalized to require education institutions among other sectors to report cyber incidents, it’s still unknown how the Cybersecurity and Infrastructure Security Agency will handle the data or share it.  

Comparitech’s analysis identified a total of 5,461 ransomware attacks on all organizations worldwide in which threat actors claimed responsibility. But the analysis generally focused on confirmed ransomware attacks — those in which an organization publicly disclosed they were targeted.

One of the confirmed K-12 ransomware incidents flagged by Comparitech from 2024 was a June 17 incident involving the Alabama State Department of Education. State officials said they thwarted hackers from accessing all targeted servers, but the criminals were still able to infiltrate some data before the department’s staff could fully stop the cyberattack. The department added that it was not negotiating with foreign actors or extortioners, as the FBI warns against paying hackers. 

Other school districts confirmed by Comparitech to have been targeted by ransomware attacks in 2024 include Utah’s Granite School District (for a $1.5 million ransom), Pennsylvania’s Shenango Area School District (for $1.3 million), Arizona’s Tri-City College Prep High School (for $100,000), South Carolina’s Charleston County School District, Texas’ Abilene Independent School District, Nebraska’s Winnebago Public Schools, and Georgia’s Effingham County Schools. 

It’s unclear whether any of the school districts paid a ransom during these attacks, according to the analysis. 

The ongoing prevalence of K-12 cyberattacks — particularly ransomware — comes as threat actors view resource-strapped schools as both vulnerable and lucrative targets, because districts often don’t have enough dedicated funds to protect their networks containing troves of sensitive student and staff information. 

One recent effort to address schools’ need for additional cybersecurity support is the Federal Communications Commission’s $200 million, three-year pilot program. The initiative is focused on helping schools and libraries cover costs for cybersecurity services and equipment. In November, the FCC said demand far exceeded the program’s capacity, with requests during the application process totaling $3.7 billion.

Minnesota public school districts, charter schools and colleges must now report cybersecurity incidents such as ransomware or network attacks under a newly enacted state law.

The information that schools report to Minnesota will not be shared publicly, unlike with similar statewide data breach reporting requirements in California and Maine.

Instead, the information will be anonymized and shared with “appropriate organizations” — with the goal of helping officials understand how security controls are bypassed and providing support for network protection.

Minnesota’s approach to shoring up cybersecurity protections through mandated reporting comes as schools are increasingly vulnerable to ransomware attacks. The new law, which took effect Dec. 1, also applies to local governments and state agencies.

Minnesota faced challenges with K-12 cybersecurity when a ransomware gang claimed responsibility for a 2023 cyberattack on Minneapolis Public Schools. The cybercriminals in that case publicly leaked sensitive files that they claimed to belong to the 35,000-student district.

But schools are hardly alone in dealing with these threats.

Other critical sectors that face higher cybersecurity risks include automobile manufacturers and suppliers, finance companies, mass transit, ports, and oil and gas companies, according to a November report by Moody’s Ratings, a global credit rating provider. 

In that same Moody’s report, the global cyber risk scores for the education and nonprofit sectors — measured together — rose from “moderate” to “high” between 2022 and 2024. The highest score is the “very high” level. 

Additionally, cybersecurity was the top technology priority this year among state leaders, according to a September report by the State Educational Technology Directors Association. The report also flagged concerns that states aren’t providing enough resources, with only 8% of surveyed ed tech leaders across 46 states saying their state provides “sufficient” funds to support cybersecurity efforts. 

While the Minnesota law does not publicly disclose any specific details of cybersecurity incidents, it adds to a bigger question among top officials: Should schools and other government entities be required to publicly share when they are the victims of a cyberattack?

That question remains unanswered at the federal level, as a proposed Biden administration rule on national cybersecurity incident reporting requirements is still being finalized by the Cybersecurity and Infrastructure Security Agency. As drafted, school districts with 1,000 or more students and all state education agencies would be required to report a disruptive cyber incident within 72 hours — or within 24 hours of paying a ransom to cybercriminals. 

CISA’s rule to implement reporting requirements is part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. The agency, however, has said it’s likely that reporting won’t begin until 2026 due to regulatory delays.

The education and nonprofit sectors together face a heightened cyber risk in 2024 compared to two years ago, according to Moody’s Ratings, a global credit rating provider.

Global cyber risk scores for education and nonprofit organizations bumped up from “moderate” to “high” between 2022 and 2024, Moody’s recently reported in its annual cyber heat map analysis. The highest score is the “very high” level. 

Sectors including education are seeing their cyber risk scores rise as a steady rate of digitization risks remain coupled with weakened cyberdefenses.

According to Moody's, higher cyber risk scores are being driven by growing digitization — which produces an “extensive digital footprint potentially more vulnerable to a cyberattack” — and below-average mitigation of cyber risks.

Other sectors with higher cyber risk scores this year include automobile manufacturers and suppliers, finance companies, mass transit, ports, and oil and gas companies.

Overall, the 24 sectors in Moody’s high cyber risk category carry a total of $23.2 trillion in high-risk debt. Education and nonprofits collectively own $356 billion of that debt. 

Moody’s also noted that education has reported one of the highest rates of ransomware attacks and that the costs of cyber incidents have more than tripled in the past year. “Entities in the education and not-for-profit sector are among the least prepared when it comes to protecting their network perimeters and executing basic cyber practices like multifactor authorization (MFA) and educating staff and students about cyber risk,” the report said.

The Moody’s findings come as ongoing calls for K-12 cybersecurity are amplified at the national and state levels, and as ransomware increasingly poses a threat to shutting down school networks and straining resource-strapped districts.

Where there is available federal funding for cybersecurity supports, the needs outweigh capacity. 

For instance, the Federal Communications Commission recently announced that its new cybersecurity pilot program for schools and libraries saw “strong interest” during the application process this fall. The three-year, $200 million pilot program will offer to cover the costs for cybersecurity services and equipment. The FCC said it received 2,734 applications totaling $3.7 billion in requests. 

“The vulnerabilities in the networks we have in our schools and libraries are real — and growing,” said then-FCC Chair Jessica Rosenworcel in a Nov. 8 statement. “The overwhelming response to our pilot program makes clear that the cybersecurity threats impacting school systems are widespread.”

There was “strong interest” in the Federal Communications Commission’s new cybersecurity pilot program for schools and libraries during the application process this fall, according to an FCC announcement on Nov. 8.

The federal pilot program is set to provide up to $200 million over three years to a select, diverse array of schools and libraries to assist with covering the costs for cybersecurity services and equipment. 

With the application window for the pilot program recently closing on Nov. 1, applicant interest far exceeded the program’s allocated funds. The FCC said it received 2,734 applications totaling $3.7 billion in requests from schools, libraries, and consortia of schools and libraries to fund cybersecurity needs during the pilot's three-year period. 

The high demand for cybersecurity supports comes at a time when cash-strapped schools are increasingly vulnerable to serious cyberattacks, particularly ransomware threats. 

“The vulnerabilities in the networks we have in our schools and libraries are real — and growing,” said then-FCC Chair Jessica Rosenworcel in a statement. “The overwhelming response to our pilot program makes clear that the cybersecurity threats impacting school systems are widespread. The Pilot Program provides an excellent opportunity to both learn from these varied experiences, and also test out solutions in different environments.”

Advocates of the federal program have noted that the $200 million currently available in the pilot to boost schools and libraries’ cybersecurity support is too low to meet needs nationwide. 

The funds, which have yet to be distributed to a selected number of schools and libraries under the pilot program, will range from a minimum $15,000 to a maximum of $1.5 million, depending on a funding formula that calculates the cost at $13.60 per student.

Schools and libraries may use the funds for securing their networks within four categories: advanced or next-generation firewalls; endpoint protection; identity protection and authentication; and monitoring, detection and response. Pilot program participants, however, will be required to pay a portion of the costs for any cybersecurity services or equipment purchased using the federal program dollars.

The Tucson Unified School District and Nantucket Public Schools seem to have little in common. Tucson schools, with 42,000 students, is one of the largest districts in Arizona and sits in a bustling urban area. Nantucket schools, on the other hand, enrolls fewer than 2,000 students and populates a small island off the coast of Massachusetts.

But in early 2023 — just one day apart on Jan. 30 and 31 — both school systems fell victim to ransomware attacks that disrupted operations, leading to school closures in Nantucket and the compromise of personally identifiable data in Tucson. 

Ransomware — where threat actors use malware to block access to network systems and then demand payment to unlock it — has been ballooning in the K-12 sector over the last seven years, according to the K12 Security Information eXchange. Known as K12 SIX, the national nonprofit helps protect schools from cybersecurity threats.

An estimated 325 ransomware attacks hit public K-12 schools between April 2016 and November 2022. From that date through Oct. 3 of this year, schools have experienced another some 85 ransomware attacks, according to K12 SIX. 

Adding to the pain, a handful of school districts were hit with ransomware twice between April 2016 and November 2022, according to K12 SIX data. 

The numbers, it's important to note, can shift upon further investigation to determine whether the events were definitely ransomware attacks.

But Roberto Rodriguez, assistant secretary for the U.S. Department of Education's Office of Planning, Evaluation and Policy Development, said an estimated five cybersecurity incidents hit K-12 each week.

Not only do these cyberattacks inflict logistical, legal and financial damage, they also take an emotional and physical toll on school communities, say education administrators and technology professionals. 

Plus, there are national security concerns, given that perpetrators are often international criminals.

"At the end of the day, we're a country that offers a free and public education, and when an outside entity and a nation-state actor attacks that, they're not attacking just the school, they're attacking the concept of a free and public education and our approach to how we do things in the U.S.," said Amy McLaughlin, project director of Cybersecurity and Network and Systems Design Initiatives at Consortium for School Networking, or CoSN, a professional association for K-12 ed tech leaders.

Why is this happening?

One of the most significant factors putting a target on K-12's back is that the sector has rich digital assets but underresourced cybersecurity infrastructures. The assets are all in the information — names, birth dates, Social Security numbers, student disability status, financial details — that districts, private schools and the third party companies they work with are supposed to protect.

Yet many districts and public and private schools lack the technology or staffing to stay ahead of criminals and safeguard the sensitive data entrusted to them. The K-12 education sector, like some other industries, also has no federal mandatory and uniform cybersecurity standards for identifying and reporting attacks.

At the same time, bad actors are always finding new ways to take advantage of vulnerabilities. 

A concerning development, for example, is dual and triple extortion ransomware attacks. That is when threat groups steal and encrypt data, forcing victims to figure out both how to access their data and how to stop it from being released on the dark web or elsewhere. Student, staff and family data released in this way poses downstream risks for identity theft, credit and tax fraud, and other nefarious activity.

It's as if someone moved into your house, locked you out, stole your possessions — and then demanded payment to turn over the keys, said Richard Bowman, chief technology officer of New Mexico's Albuquerque Public Schools, which experienced a ransomware attack in January 2022.

McLaughlin adds, "They're out here stealing your data and charging you for it." Nation-state adversaries and criminal or terrorist organizations attack education entities "to fund their business model," she said.

Indeed, Doug Levin, co-founder and national director of K12 SIX, said the attacks are "100% about money."

A number of characteristics —  including a lack of robust cybersecurity measures —  make K-12 into attractive prey, Levin said. "We've been slow to implement common sense protections, like multifactor authentication, which makes us easier targets compared to other sectors," he said.

Other contributors include disjointed response protocols and underresourced cybersecurity staff. Two-thirds of districts had no full-time cybersecurity position in 2023, according to CoSN survey data. And 12% of districts said they don't dedicate any funds for cybersecurity.

A 2024 U.S. Department of Homeland Security threat assessment report said K‑12 districts have been "a near constant ransomware target." The federal agency blamed this on budget constraints of school systems' IT departments, a lack of dedicated resources, and cybercriminals' success in getting schools to pay ransoms.

In addition, districts are simply managing a lot of ed tech these days. During the 2023-24 school year, they used 2,739 different ed tech tools on average, an 8% increase from the previous school year, according to a report released earlier this year by Instructure and the company's LearnPlatform, which helps districts research and choose digital learning products.

People within schools and districts — educators, students, staff — are also for the most part trusting, caring and optimistic, educators and technology experts note. Educators often don't assume others are acting with ill intent. This attitude is needed to create nurturing school environments, but it also can give an advantage to criminals who prey on vulnerable systems.

What damage has this caused?

More than half – 62% – of "lower education" systems worldwide that are victimized by ransomware pay the criminals to recover their hijacked data, according to a 2024 report from U.K.-based cybersecurity firm Sophos. The data was based on a survey of 300 lower education IT and cybersecurity leaders in 14 countries. 

The ransom payments averaged $7.5 million, according to the 99 lower education survey participants who had paid demands. 

The average price for restoring data with backup technology — excluding ransom payments — was $3.76 million, or about the expense of 54 U.S. teaching positions. That average cost is more than double the $1.59 million figure from the company's 2023 survey.

According to Comparitech, a cybersecurity and online privacy product review website, the K-12 and higher education sectors lost 12.6 school days on average in 2023 from ransomware attacks. That downtime calculates to $548,185 per day, or about 123,744 school lunches for one day.

The companies and organizations that collect and report data about K-12 cyberattacks do so with a caveat — they say the data may be underreported. That's because there is no national mandatory reporting system. 

The new federal Cyber Incident Reporting for Critical Infrastructure Act is expected to change that, however, when it takes effect sometime in 2026. CIRCIA will require state education agencies and school districts with more than 1,000 students to report to the Cybersecurity and Infrastructure Security Agency within 72 hours of a disruptive cyber incident and within 24 hours of making a ransom payment to cybercriminals, according to the proposed rule for implementing the provision. 

In addition to financial fallout, ransomware can wreak havoc on productivity, teaching and learning — not to mention the emotional well-being of a school community. 

"I think that the challenge — the hardest part and the biggest piece of this — is that the disruption can be really significant," said McLaughlin. For instance, if a district has to close schools due to a cyberattack, parents have to find child care, sports games have to be postponed, and state testing has to be rescheduled.

How are schools responding?

Once a breach is discovered and a ransom demanded, district or school response can vary with the circumstances. But experts recommend these steps: 

• Work to limit the damage and preserve sensitive data. 
• Decide if external help is needed from local and state authorities, cyber incident support teams or private vendors.
• Alert law enforcement, including the FBI and other reporting agencies like the Department of Homeland Security's U.S. Computer Emergency Readiness Team.

The FBI and CISA, as well as the nonprofit Multi-State Information Sharing Analysis Center, all discourage victims from paying ransoms as there’s no guarantee the files will actually be recovered. But some education economists and tech experts say making that decision is not so easy — as paying the ransom may be less disruptive or less expensive than rebuilding a school's network.

In some cases, districts have kept details of ransomware attacks hidden from the public and even staff. An investigative report by the Florida Sun Sentinel found that the 248,000-student Broward County Public Schools system waited five months to report key information to people impacted by a March 2021 cyberattack. In a Nov. 29, 2021, statement, the district said it was offering free credit monitoring to those affected and who requested the service.

Across the country, some school districts have had to respond to parents' demands for answers when personally identifiable information was compromised. 

For instance, parents in a class action lawsuit filed Oct. 31, 2023, allege that "negligent and/or reckless failure" by Nevada's Clark County School District resulted in a ransomware attack that led to the release of sensitive data about teachers, students, families and former students. 

"Despite knowing about this breach for almost a month, CCSD continues to fail to adequately inform those affected, continues to characterize what we understand was and may still be an ongoing breach of its systems as a single 'incident,' and continues to portray itself as an innocent victim rather than an accountable governmental body," said an undated statement from plaintiff law firm Sklar Williams. The case, Doe v. Clark County School District, remains open.

Liability is one reason school districts may want to stay silent about an attack. But there's another reason, too — shame.

"The topic of ransomware is rarely shared among organizations and is viewed as a scarlet letter or badge of dishonor to technology and security teams," said Lacey Gosch, assistant superintendent of technology at Judson Independent School District in Live Oak, Texas. Gosch's comment came during testimony on Sept. 27, 2023, before a U.S. House joint subcommittee hearing on combating ransomware attacks.

The 25,900-student Judson system fell victim to a ransomware attack on June 17, 2021, just a month after Gosch came to the district. A full investigation found the data breach affected about 429,000 people. The district paid a $547,000 ransom to ensure the threat actors deleted the stolen data, Gosch told the joint subcommittee. 

District contractors had to install new cybersecurity software on each of the school system's 4,500 devices. In the end, it took Judson ISD more than a year to fully recover from the breach. 

"The mentality that any organization is too small or insignificant to be affected by a cybersecurity breach is living under a false sense of security," Gosch said. "The truth is that cybersecurity events in organizations need to be viewed not as improbable but as absolute. The question is not if it will happen but when it will happen."

How are districts protecting themselves?

After years of victimized school districts suffering from frustration and shame, there's been growing momentum at local, state and federal levels to fight back through improved prevention, recovery and response practices. 

Preventive measures like multifactor verification for accessing files are some of the leading defenses, Levin said. "The best thing is to not be a victim, right? If you're a victim, I think you're faced with a series of bad choices at that point," he said.

To safeguard schools, districts are investing in cybersecurity insurance and taking advantage of free tools and resources from CISA. In October, the White House Office of the National Cyber Director launched an initiative to encourage districts to adopt free protective domain name system services that prevent connections to malicious website domains.

Education advocacy groups, like CoSN and the State Educational Technology Directors Association, are also assisting districts.

States are likewise stepping up to help. The Georgia Department of Education, for example, dedicated nearly $1 million in 2022 to provide every district in the state with licensing for a cybersecurity platform, through a contract with the Georgia Technology Authority. The platform allows districts to pinpoint their vulnerabilities and provides recommendations for improvements. 

And CISA, along with the federal Education Department, created a Government Coordinating Council earlier this year to address hardships districts face in preventing, responding and recovering from cyberattacks. 

The council is made up of school administrative organizations representing principals, superintendents, school business officials, special education directors and others. 

It serves as an information-gathering and collaborating body to better understand K-12 cybersecurity challenges. It is also documenting best practices and brainstorming potential solutions, such as a dedicated technical assistance center, said the Education Department’s Rodriguez. 

Congress has not provided the Education Department with a dedicated funding stream for supporting cybersecurity measures in school districts and state education agencies, according to Rodriguez.

"We are hearing from districts around the country — urban, rural and suburban — about the challenges that they face," said Rodriguez, adding, "We think that preventative approach is really something that has great potential, and we should be doing more with districts across the country, especially those districts that don't have more sophisticated infrastructure."