It was literally a “worst case” school IT scenario. Exploiting the long Labor Day weekend in 2022, hackers hit the Los Angeles Unified School District (LAUSD) — the second largest school system in the U.S. — with a ransomware attack. After LAUSD refused to pay the ransom, attackers published 500GB of stolen data including Social Security numbers, bank account info, employee W-9 forms and the detailed and sensitive mental health records of thousands of students on the dark web.
Interestingly, student data is not actually of great value to cybercriminals. While it’s true that threat actors can use stolen identity data to issue credit cards or simply sell it on the dark web to others, these are not the massive payoffs seen in enterprise-targeted ransomware attacks. Similarly, most K-12 schools simply won’t pay ransom despite the risks to their data — either owing to policy or (more likely) budgetary constraints. Of 45 K-12 ransomware cases that were publicly reported in 2022, only three schools actually paid the ransoms. This leaves most cyberattackers with only marginal monetary gains from K-12 schools.
So what explains the 275% growth in attacks on K-12 educational targets in 2023? Simply put, schools are low-hanging cyber fruit and there are a lot of them. They are specifically targeted for ransomware attacks owing to their lack of in-house expertise, low security budgets and often poor cyber hygiene.
The problem is that the average school spends less than 8% of its IT budget on cybersecurity (the average enterprise spends 10%) with 20% of schools committing less than 1%. Nearly 40% of K-12 schools surveyed did not have a cybersecurity response plan in place and 81% had not fully implemented multi-factor authentication. And while the White House recently rolled out plans to add millions in funding, alongside access for K-12 schools to federal resources such as tailored assessments, training and cyber exercises — the change needs to start with school districts themselves.
It's become clear that while low cybersecurity expenditures may seem to positively affect the bottom line of district budgets, and direct losses from attacks may seem minimal — there are a plethora of hidden costs associated with cyberattacks.
The hidden costs
The lack of cyber investment in K-12 schools carries a steep price tag. Even if schools don’t incur the direct costs of paying ransom, there are very significant hidden costs to the plague of cyberattacks targeting K-12 schools.
For example, when the Las Cruces Public Schools in New Mexico were hit by a ransomware attack, the district’s network was shut down for weeks. This had a tremendous pedagogical impact — with teachers reverting to chalkboards, overhead projectors and old-fashioned gradebooks, while students remained unable to fulfill digital assignments. Recovery took months, during which time district IT staff invested thousands of extra work hours, and the district invested tens of thousands of dollars in new computers.
This is not uncommon. According to a recent GAO report, the loss of learning following school cyberattacks averaged up to three weeks, while recovery time ranged from two to nine months. This has a direct impact on district budgets, not to mention quality of education. And poor student performance carries its own budgetary consequences down the road, as administrators well know.
What’s more, cyberattacks against K-12 schools erode trust within the community. Data breaches that compromise sensitive student data raise concerns about how seriously schools take data protection. Disruptions to learning damage parental confidence, causing frustration and doubts about school reliability — and carrying a direct childcare price tag for parents. Communication breakdowns and lack of transparency during cyberattacks contribute to this declining trust, and long-term reputational damage from negative media attention can trickle down for years.
The surge in cyberattacks on K-12 schools underscores not only the inherent vulnerability of educational targets, but also the high hidden costs associated even with unsuccessful attacks. Ransomware disruptions impact education quality, erode community trust and can leave lasting reputational damage. To protect the educational ecosystem, schools must prioritize cybersecurity investment, improve cyber hygiene and implement robust response plans. By taking proactive measures, schools can fortify their resilience against cyber threats, maintain trust within their communities and mitigate the hidden costs of cyberattacks