Issuing thousands of devices to be used by students makes school districts especially vulnerable to cyberattacks. (iStockphoto/The Minnesota Star Tribune)

Cyberattacks like the one that paralyzed the Minneapolis Public Schools' computer systems in late February are becoming a growing threat to school districts, prompting a dramatic rise in cyber liability insurance premiums and a scramble to figure out what can be done to secure student and staff data.

School districts face particular challenges that have made them more vulnerable, experts say — namely that they have thousands of school-issued devices used by children and teenagers.

Moreover, widespread staffing shortages and budget crunches mean that school IT departments are chronically overstretched.

Minneapolis school officials have stayed tight-lipped about exactly how the breach occurred and what data was accessed, much to the frustration of parents and staffers.

"Kids will click on all sorts of things," said AJ Nash, a Minneapolis-based cyber security expert, adding that ransomware is often delivered through a phishing link. "K-12 education is a tough environment to build defenses, and schools don't necessarily have sufficient budgets to protect themselves."

This week, a ransomware group claimed responsibility for the attack and posted a $1 million ransom, along with a 51-minute video — which has since been removed — with screenshots showing a wide variety of information, including student names and addresses and forms that could contain sensitive employee information.

One screenshot showed what appeared to be a handwritten note about an alleged sexual assault involving students. Other images appeared to show lesson plans, enrollment projections, district forms and policy documents.

"My assessment is that a lot of it could be unpleasant and embarrassing if released," Nash said. "It's a significant amount of data, but a lot of that is public information already."

The ransomware group, which goes by the name Medusa, is a "relatively new but very busy player," and little is known about who they are or where they're located, Nash said. They are currently asking for ransoms from about a dozen other victims, he said. The deadline the group has set for MPS' payment is March 17.

Ransom attacks up

The cost of cyber liability insurance has surged in recent years. The premium for Minneapolis Public Schools' policy rose from $42,000 last year to more than $63,000 this year, and the deductible jumped from $50,000 to $100,000.

MPS isn't the only metro-area school district feeling the pinch. St. Paul Public Schools officials saw their cyber premium go from $60,000 to more than $119,000 this school year. The Anoka Hennepin and Osseo school districts saw increases of more than 10%.

"In general, insurance prices are rising across the board, but where you see it the most is in the cyber insurance market these days," said Daniel Schwarcz, a professor at the University of Minnesota Law School who researches insurance law and regulation.

Much of that increase can be attributed to the changing landscape of cyberattacks, Schwarcz said. But over the past couple of years there's been an increase in ransomware attacks, in which an attacker gains and then blocks access to a data or computer system — usually by encrypting it — and threatens to publish unless a ransom fee is paid.

According to a report by Emisoft, a cybersecurity company, more than 100 local governments, 44 universities and colleges, 45 school districts and 25 health care providers in the United States were impacted by ransomware in 2022.

"This sort of attack has just skyrocketed," Schwarcz said. "What that meant is that cyber insurers sort of lost their shirts in 2020 and 2021, and now they are simultaneously trying to make up for those losses and appropriately price their products when risks are larger."

In a hard market, insurers have leverage to ask school districts, for example, to adopt protocols and defense strategies. But districts typically don't have the people, money or latest technology to do that quickly, said Keith Krueger, CEO of the Consortium for School Networking, a nonprofit organization for IT staff working in school systems.

"This isn't going to be solved with the snap of a finger," Krueger said of bolstering districts' defenses against cyberattacks. "And this isn't a sidebar issue — learning time and identities are at risk."

School districts are targets for hackers who are looking for sensitive documents they can leverage for a ransom, said Soumya Sen, an associate professor of information and decision sciences at the University of Minnesota. With the double extortion method used by the group claiming responsibility for the MPS hack, the attacker also offers the data for sale on the dark web.

Districts have confidential files with contact information for employees and students, as well as financial records, student health and psychological assessment data, civil rights investigation records and files on sexual violence allegations, Sen said.

"Unfortunately, many organizations react the same way to cyberattacks — they try to hide the extent of the security breach and do not take preemptive actions to inform and help potential victims," he said.

Using vague language like MPS' use of "encryption event" in communications with staff and families only sows distrust and doesn't work to improve its position against the hackers, Sen said.

Greta Callahan, teacher chapter president of the Minneapolis Federation of Teachers, said she and her members are frustrated by the lack of communication from district officials.

"They are learning more about this from the news than from the district," she said, adding that several teachers have reported fraudulent activity on their accounts in the past two weeks.

District officials said Thursday that people "whose legally protected personal information" was accessed can get free credit monitoring and identity protection services.

"We understand that MPS didn't do something to us to harm us here," Callahan said. "But why won't they say, 'Here's why we can't share that'?"

Transparency in communicating about cyberattacks can be a fine line, Krueger said. Districts shouldn't reveal precisely how a hacker gained access, he said, but should be honest about what resources are available to potential victims.

Nash agreed.

"That vagueness may come back to shame on the district's part more than anything, and we need to get past that," he said. "Good, smart, hardworking organizations get compromised every day."

about the writer

Mara Klecker

Reporter

Mara Klecker covers suburban K-12 education for the Star Tribune.