The Secret World of School Ransomware Cover-ups
AI-created, human-edited.
In a recent episode of Security Now, Steve Gibson and Leo Laporte dove deep into a disturbing trend in American education: the systematic concealment of cybersecurity breaches in K-12 schools. Based on groundbreaking investigative reporting by The 74, a nonprofit education news organization, the discussion revealed how schools are actively working to keep parents and students in the dark about serious data breaches that expose sensitive student information.
The situation is dire. In 2023 alone, there were 121 ransomware attacks against educational institutions globally – a staggering 70% increase from the previous year, making it the worst year on record for education-sector cybersecurity incidents. But what's even more concerning isn't just the attacks themselves, but how they're being handled.
As Gibson and Laporte discussed, schools have developed a sophisticated system for managing these incidents – not to protect students, but to protect themselves. When a cyberattack occurs, the first call isn't to parents or even law enforcement. Instead, schools immediately contact their insurance companies, who deploy what the industry calls "breach coaches" – specialized attorneys whose primary mission is to control the narrative and limit the school's legal exposure.
These attorneys, working under the shield of attorney-client privilege, bring in a whole team of specialists:
- Forensic cyber analysts
- Crisis communicators
- Ransom negotiators
- Data miners
- Credit monitoring providers
- Call centers
All of this is paid for by taxpayer money, while the very people whose data has been compromised – students, parents, and staff – are kept in the dark.
The consequences of these breaches are far-reaching. The compromised data often includes highly sensitive information:
- Special education accommodations
- Mental health records
- Sexual misconduct reports
- Student psychological evaluations
- Financial information
- Medical records
In one particularly troubling case highlighted during the discussion, the Minneapolis public school system waited seven months before notifying more than 100,000 people that their sensitive files had been exposed. In another instance, hackers used details about past sexual misconduct allegations to extort school officials in Somerset, Massachusetts.
As Gibson pointed out, there's a perverse incentive at play: research suggests that the surge in incidents has been partly fueled by insurers' willingness to pay ransoms. Hackers have openly stated that when a target carries cyber insurance, ransom payments are "all but guaranteed."
Laporte and Gibson discussed the regulatory environment, which both agreed is inadequate. While all 50 states have laws requiring notification of data breaches, the rules vary widely and lack meaningful enforcement mechanisms. As one legal expert quoted in their discussion called it, it's a "multiverse of madness" where protection levels depend entirely on where you live.
While proposed federal rules could require schools with more than 1,000 students to report cyberattacks to CISA by 2026, both hosts expressed skepticism about whether this would lead to real change without proper accountability measures and public disclosure requirements.
As Laporte suggested, the solution might lie in implementing SEC-style regulations for public schools, requiring prompt and transparent disclosure of data breaches. However, as Gibson noted, without a functional mechanism for holding anyone accountable, there's little incentive for the system to change.
