Dive Brief:
-
Schools and colleges saw a record-breaking number of ransomware attacks in 2023, with 121 incidents last year compared to 71 in 2022, according to an analysis released Tuesday by Comparitech, a cybersecurity and online privacy product review website.
-
On average, the education sector lost 12.6 school days in 2023 as a result of ransomware attacks, slightly rising from the average downtime of 8.7 days in 2021, the report found.
-
Based on the overall ransomware recovery costs reported across 26 educational institutions between 2018 and 2024, Comparitech estimates the average cost of downtime to total $548,185 per day.
Dive Insight:
Without any universal reporting requirements, the number of ransomware attacks targeting schools and colleges remains difficult to accurately measure.
Comparitech compiled its data on ransomware attacks by looking through specialist IT news, data breach reports and state reporting tools. However, researchers acknowledged there are “limitations with uncovering these types of breaches,” and their findings likely “only scratch the surface of the problem.”
Between 2018 and July 2024, Comparitech found a total of 491 ransomware attacks on educational institutions.
There’s a chance, however, that more schools and colleges will be required to report such cyberattacks when the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, goes into effect no later than October 2025.
The law requires certain entities, including state education agencies and half of school districts, to report to the Cybersecurity and Infrastructure Security Agency within 72 hours of a disruptive cyber incident and within 24 hours when a ransom payment is made to cybercriminals.
As Comparitech’s research illuminates, cyberattacks can lead to real financial consequences for districts.
For instance, a December cyberattack targeting Ohio’s West Clermont Local School District is expected to cost the district a $1.7 million net loss, according to a June letter from Superintendent Natasha Adams. The district’s total revenue for FY 2023 was $96 million.
While no personal information or student records were compromised, the threat actor was able to divert several electronic payments to bank accounts that are unaffiliated with any vendors contracting with the district, Adams wrote.
“Although this loss is painful and upsetting, this will not impact the recent announcement of extending any expected request for new operational money until 2026,” Adams wrote. “The district does not anticipate cutting any programs, services or employees.”
More resources and supports are being released to support K-12 cybersecurity, including CISA’s free Cyber Hygiene Services, which allow the federal agency to scan and test local schools districts’ vulnerabilities within their external networks or public web applications.
Additionally, the Federal Communications Commission is expected to open applications this fall for its $200 million, three-year cybersecurity pilot program for schools. Schools can take steps now ahead of the application process by considering their cybersecurity risks that the FCC funds could prevent or address, establishing their district’s goals and objectives, and identifying their cybersecurity officer and the services or equipment they want to purchase, an FCC official said in June.