Most don’t have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren.
The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It’s also swept up school districts, meaning files from thousands of schools are currently visible on those hackers’ sites.
NBC News collected and analyzed school files from those sites and found they’re littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children’s information is leaked.
Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Public school systems are even less equipped to protect students’ data from dedicated criminal hackers than many private sector businesses, said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats.
“I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed,” Levin said. “And I don’t think people have a good handle on how large that exposure is.”
For more than a decade, schools have been a regular target for hackers who traffic in people’s data, which they usually bundle and sell to identity thieves, experts say. But schools have never had a clear legal mandate for what to do after hackers steal their students’ information.
The recent rise in ransomware has escalated the problem, as those hackers often publish victims’ files on their websites if they don’t pay. While the average person may not know where to find such sites, criminal hackers can find them easily.
Scammers can act quickly after information is posted. In February, just a few months after Toledo Public Schools in Ohio was hit by ransomware hackers who published students’ names and Social Security numbers online, a parent told Toledo’s WTVG-TV that someone who had that information had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.
In December, when hackers broke into the Weslaco Independent School District near the Texas southern border, staff members moved quickly to alert more than 48,000 parents and guardians of the breach. They followed the FBI’s advice to not pay the hackers and restored their system from backups they had kept for such an emergency.
But the hackers, spurned by Weslaco’s decision to not pay, dumped the files they pilfered on their website. One of those, still posted online, is an Excel spreadsheet titled “Basic student information” that has a list of approximately 16,000 students, roughly the combined student population of Weslaco’s 20 schools last year. It lists students by name and includes entries for their date of birth, race, Social Security number and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged and if they’ve been flagged as potentially dyslexic.
The district’s cyber insurance paid for free credit monitoring for staff, said Carlos Martinez, its executive director of technology. But protections for children whose information was stored by their school and exposed by hackers is murkier. Nine months later, the Weslaco school district is still figuring out what, if anything, to do for the students whose information was exposed, Martinez said.
“We have attorneys looking into that right now,” he said.
Ransomware hackers are largely motivated by profits and tend to look for targets of opportunity. That means the information they post online is often a hodgepodge of scattered files they were able to pilfer, and even the school districts themselves may not know what’s been taken and exposed.
The problem is exacerbated by the fact that many schools simply don’t know all the information that’s stored on all their computers, and therefore they may not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was hit with ransomware in June, it alerted parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email.
But NBC News’ investigation of the files leaked from that hack found an audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced price meals. Simpson did not respond to a request for comment about the audit.
Sometimes students’ data is exposed because third parties hold it. In May, hackers posted files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that partners with 11 regional high schools. Those files include hundreds of high schoolers’ report cards from the last school year, all of which are currently visible.
A spokesperson for Apollo, Allison Overholt, said in an email that the organization was still working to notify students whose information was exposed.
“We are aware of the incident and are investigating it,” she said. “We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible.”
Schools and school districts tend to store a lot of data on children, and often they don’t have the money to pay for dedicated cybersecurity experts or services, Levin said.
“School districts collect a lot of sensitive data on students,” he said. “Some of it’s about its students. Some of it’s about their medical history. It may have to do with law enforcement. It may have to do with broken homes. It is a solemn responsibility that schools have to care for kids, so they collect a lot of data with that.”
Parents are quickly learning that addressing these problems may fall to them. Schools may not even know if they’ve been hacked or if those hackers have posted students’ information on the dark web. And federal and state laws for student information often don’t give clear guidance for what to do if a school is hacked, Levin said.
That leaves parents and children with little they can do to protect themselves from the possibility that criminals will access their personal information and use it to commit identity theft or fraud in their name. The single most important thing they can do is freeze their credit while they’re still underage, said Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft.
“We should for all intents and purposes believe that for the most part, all of our data’s been compromised,” Velasquez said. “We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen.”
Freezing a child’s credit can be time consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experian, Equifax and TransUnion. But it’s become an essential step for digital safety, Velasquez said.
“We encourage parents to freeze childrens’ credit,” she said. “From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free.”