A Lesson in Cybersecurity for School Districts

It’s not just corporations, government entities, and technology companies that are being targeted for cyberattacks. School districts are also on the list of prey for cybercriminals, and Austin ISD became one of the latest victims of a hack caused by third-party remote access. 

Austin ISD discovered the data breach upon learning a letter from a previous third-party vendor, PCS Revenue Control Systems, Inc., was sent to families regarding the hack. The letter disclosed that the name of the noted student, their identification number, and date of birth were potentially exposed to unauthorized access during a data breach in December 2019. Those who were affected are being offered free identity monitoring as a result of the attack. 

This example is just one of many within the field of education: In September 2015, Rutgers University was the victim of a DDoS attack, and in March 2018, the Leon County School District lost the personal information of approximately 50,000 students and staff due to a third-party vendor, Florida Virtual School (FLVS). The information provided on students included name, username, school identification number, medical, and demographic. The staff member confidential information exposed included social security numbers, full contact information, email addresses, and more.

Aside from the Leon County School District breach, FLVS had lost school district data in two other separate incidents, including the following:

  • In 2013, the Leon County School District gave an electronic service provider, UCompass, access to data on district personnel and students. FLVS later purchased UCompass and acquired the data, storing it on an insecure server. In February 2018, an unauthorized intruder accessed the insecure server and posted his findings on an online forum. The school was alerted by an associate at Databreaches.net, who noticed the forum comment.
  • From May 2016 through February 2018, FLVS provided online educational services to users throughout the Leon County School District. In February 2018, FLVS alerted the school district that personal data transmitted during that time had been publicly available.

The importance of cybersecurity in schools

Though there hasn’t been any evidence that the Austin ISD breach was used for malicious purposes, this scenario is another example of the damage and liability that occurs when a third-party vendor does not have robust, or even adequate, network security. If a hacker did have malicious intent, the damage could extend to large ransom payouts or hefty reputation costs: eighty-seven percent of consumers are willing to walk away and take their business elsewhere if, or when, a data breach occurs. For third-party vendors who service education systems, this should be a wake-up call. Credibility and reputation as a reliable business partner are on the line when connectivity is not secured or monitored. 

For school districts, any threat of an attack – whether it’s in-person or online – needs to be addressed and secured. It’s proper protocol. Protecting your staff and your company includes protecting them from the theft and exposure of sensitive and critical information that can only be found on internal systems. Managing third-party remote access and implementing a third-party risk management program are first steps to protecting school district networks from hackers who exploit third-party access points. 

For vendors of education systems, being proactive in your approach to network security is foundational to being a quality service provider. Remote support platforms not only serve as an added value proposition, but it reinforces the protective measures your company will take for your client’s security needs – in this case, protecting the PII of students and staff.