Children at risk, parents in the dark – Good Day Sacramento

SACRAMENTO (CBS13) – Cybercriminals are targeting schools at an alarming rate and exposing children to identity theft – and their parents may never know. CBS13 discovered alarming statistics on cyber attacks in schools and a lack of school policies to track and report these attacks.

• Schools are not required to report cyber attacks to a governing body.
• In most cases, parents do not even have the right to know that their child’s school has been attacked.
• CBS 13 surveyed over 50 local districts about their cybersecurity policies and only the district confirmed that it actually had one.
• Meanwhile, CBS 13 reviewed more than 120 recent California cyber incidents at K-12 schools, including more than a dozen ransomware attacks. At least one has never been reported publicly or to parents.

From high school students fresh out of distance education, to “Mr. Code’s Wild Ride,” most kids realize the repercussions of a cyberattack, but their schools, it turns out, can’t.

READ MORE: New allegations of child sexual abuse against 5 former priests found credible, according to Diocese of Sacramento

According to a recent IBM survey, about half of educators and administrators said they were “not concerned” about cyber attacks

When CBS13 asked local school districts about their policies for tracking and reporting violations, only one in 50 school districts confirmed that they did have a policy.

“It is very difficult to move forward on this issue when we are kept in the dark. Parents cannot protect their children and policymakers do not know the need to take action to protect their communities.

Two school districts said they were in the process of developing a cyber attack reporting policy, and several said they needed more time to respond, which is permitted under California’s public records law. However, the vast majority of school districts did not respond at all to CBS13’s request.

Meanwhile, CBS13 has identified more than a hundred publicly reported cybersecurity incidents in California K-12 schools, including nearly a dozen recent attacks of ransomware, a type of malware that lock computers and files until a ransom is paid.

We have confirmed that at least one ransomware attack in a Placer County school district has never been reported publicly or to parents.

Cybersecurity analysts monitored over 1,600 ransomware attacks against school districts nationwide last year alone.

And there are growing reports that student information from hundreds of these breaches is now available on the dark web, where children’s information sells for a high price because of their credit history. clean make them ideal targets for identity thieves.

Most will not find out that they have been victimized in years.

This Toledo incident was mentioned in a letter, from Senator Blackburn at the Department of Education, calling for accountability and data on the number of children affected.

“These incidents happen a lot more frequently than a lot of people realize,” said Doug Levin, director of the nonprofit K-12 Security Information Exchange, which helps protect schools from cyber threats.

His group tracks publicly reported cyber attacks, but says most schools never report them.

“It is very difficult to move forward on this issue when we are kept in the dark, ”Levin said. “Parents cannot protect their children and policy makers do not know the need to take action to protect their communities.

California tops FBI Internet crime report for total casualties and money lost, and Levin says California is among the top three states for school cyber attacks.

Yet the California Department of Education tells us, “Schools are not required to report ransomware attacks to state or federal entities. “

“Cyber ​​security practices for school districts are largely unregulated right now in the United States,” Levin said.

The California Department of Education (CDE) told CBS13 that schools can “declare themselves” to private entities. CDE provided a link to Levin’s nonprofit and data breaches in its response to CBS13. However, Levin says he is not aware of any school that has ever self-declared.

READ MORE: Yuba City High School Students Arrested For Carrying Firearms On Campus

The CDE also told CBS13 that it was not aware of any California school districts that had paid a ransom.

“There have been public reports of California school districts that have paid off,” Levin pointed out, “which [means] obviously they don’t follow either.

In fact, Levin notes that there isn’t a consistent standard for who should know about school offenses, and it seems even state regulators are confused.

CDE told CBS13 this federal law, which they said initially required parents and students to be informed of a student’s disclosure. Corn feds say that’s just not true– the law does not oblige schools to inform pupils of compromised information.

Several districts told CBS13 that they would, in some cases, inform families under the California Data Security Breach Notification Act– which applies to Californian companies and agencies.

But other districts appeared to ignore state law, or said it wouldn’t necessarily apply to ransomware attacks without proof that hackers actually “acquired” specific personal information.

“Really what they’re saying is we don’t have any evidence that student data was stolen,” Levin said.

But he stressed that schools should assume that private information has been compromised after any ransomware attack, as hackers often gain access to school servers for days or weeks before activating the ransomware.

“I mean, at this point the damage has been done,” Levin said.

The California Data Security Breach Notification Act, which does not specifically refer to schools, only requires the reporting of specific types of information that has been knowingly “acquired by an unauthorized person. “

By law, agencies are also expected to report violations affecting more than 500 people to the California Attorney General. However, California Attorney General’s Office Rob Bonta did not respond to repeated requests for information about legal requirements or whether school incidents have already been reported to his agency.

A local district, which has seen two recent unreported attacks, said it only reports cyber attacks to its insurance company. The district added that it would only inform students and families based on the advice of that insurer.

“Insurance companies shouldn’t be the ones making this decision,” Levin said. “These are public institutions that use taxpayers’ money to provide valuable services to a sensitive population. Our children. “

Schools in Texas must report stolen student information to the National Education Agency. A Illinois Bill Would Require Schools to Report Cyber ​​Breaches to the Department of Education the. And this federal bill would require a study on cybersecurity risks facing schools.

But so far, there’s nothing forcing California schools to track or report growing cyber attacks.

The Center of Internet Safety, which monitors emerging threats, predicts an 86% increase this year in cyber attacks against schools.

Experts recommend freezing your child’s social security number credit with all three credit monitoring services, Experiential, Equifax and TransUnion. A children’s credit freeze can help prevent hackers from using their information to open credit cards or take out loans on their behalf.

NO MORE NEWS: Logging truck catches fire near Roseville house

The law to allow the freezing of children’s credit in California was prompted by previous investigations by CBS13.