“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

                   – IRS Commissioner John Koskinen (2/7/2017)

My followers may know that many days I take to Twitter to share national, state, and local news stories of relevance to technology use in schools and for learning. Over time, the volume of stories focused on school-related issues of data privacy and security have increased, which is only to be expected as the sector is increasingly relying on technology for its core operations. It is inevitable that the education sector will experience data breaches and be subject to cyberattacks intended to enrich (or otherwise benefit) attackers, hurt/embarrass school officials or other members of the school community, or protest school/government policies and practices. These acts may be undertaken by those connected to the school (such as administrators, teachers, or students) or by actors with no relation to the school at all (e.g., by hackers canvassing the internet for software vulnerabilities).

One recent attack has become so widespread and so damaging that the Internal Revenue Service itself has issued public guidance for schools and other institutions that have become its target (see “Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others“).

 

While by no means an exhaustive list, school districts that have fallen prey to this specific phishing attack (according to press reports I have found) include:

  1. Olympia (WA) School District faces data breach after large phishing scam
  2. ‘Phishing’ attack threatens thousands of school employees’ private data (Manatee County, FL)
  3. Corsicana ISD (TX) responds to data breach incident
  4. Argyle School District (TX) Employees Hit with Data Breach
  5. Data breach affects thousands of school system employees (Tipton, TN)
  6. 1,300 (School) Employees Affected By Data Breach (Lexington County, SC)
  7. Mercedes ISD (TX) personal data breach baffling, inexcusable
  8. FBI investigating Mercer County Schools (WV) data breach
  9. Don’t take the bait: (Davidson County, NC Schools) Data breach raises questions about cybersecurity
  10. Belton Independent School District (TX) offering free credit monitoring after W-2 breach **
  11. Maine school employees’ tax info sent to email scammer (Brunswick, ME)  **
  12. Data breach of W-2 forms hits thousands of Bloomington (MN) school employees **
  13. Dracut (MA) schools hacked **
  14. Email hack leads to Odessa (MO) school employee W-2 forms being compromised **
  15. Email hack affects local (Morton District 709, IL) school district **
  16. HCSD (NY) victim of email phishing scam **
  17. Data breach at Guilford-area schools (ME) leads to identity thefts **
  18. Concord School District (NH) Reports ‘Data Security Breach’ **
  19. Teachers’ personal data hacked (Lawrence Public Schools, MA) **
  20. Sequoia Union High School District (CA) **
  21. WESD employees’ W-2 information compromised in phishing scheme (AZ) **
  22. ‘Phishers’ catching school employee tax returns (Barron Area School District, WI) **
  23. Hundreds of Mt. Healthy (OH) school employee W-2s could be in hacker’s hands **
  24. Teacher Info Leaked in Security Breach at Abernathy ISD (TX) **
  25. Social Security Numbers Stolen From All Independence School (MO) Employees **
  26. Redmond schools (OR) hit by major employee data breach **
  27. Phisher gets W-2s from BRF, tries at Alma Center (Black River Falls, WI) **
  28. Trenton R-9 (MO) E-Mail Attack **
  29. Yukon Public Schools (OK) victimized by phishing scam **
  30. Impostor Gets W-2 Info for 1,300 School District Workers (Groton Public Schools, CT) **
  31. Tyler ISD (TX) issues statement after employee W-2 forms sent in ’email spoofing attack’ **
  32. Glastonbury (CT) Schools Phishing Scandals Impacts 1,600 Workers **
  33. AC (Arkansas City, KS) school district victim of Internet phishing **
  34. School administrators fall victim to possible scam (Ben Bolt ISD, TX) **
  35. Hundreds of Powhatan (VA) school employees compromised in data breach **
  36. Walton School District (FL) falls victim to scam **

NOTE: List of affected school districts last updated 3/22/17 (8:30 AM). List will be updated as research continues. If you are aware of other school districts victimized by this attack not already on this list, please contact me. Thanks to Dissent Doe (@PogoWasRight) of https://www.databreaches.net/ for help in identifying affected school districts.

This cyberattack – affecting tens of thousands of school employees – may represent the single most widespread and serious threat to school district data systems we have seen to date – and certainly raises questions about the state of school information security practices. Indeed, evidence already suggests widespread lax school IT security practices thanks to systematic investigations, such as those conducted in Missouri and Wyoming.

It is vitally important that school district leadership and IT staff educate themselves on this threat and take immediate steps to protect themselves. Here is what the IRS has to say about it:

 

No Title

No Description

 

Please share this information widely. There remains much work to be done to educate government, school leaders, and educational technology vendors about how to mitigate the risks of IT systems that manage personal data of school employees, students, and their families. Unfortunately, it may have to get worse before it can get better.

 

 

Image credit: “hacker” by Dani Latorre, 2001. CC-BY-SA

 

** New articles regarding K-12 school districts affected by phishing attack (i.e., updated since this blog was originally posted).