The recent ransomware attacks on the Tucson Unified School District and Nantucket Public Schools reveal the extent to which cybercriminals are targeting the K-12 sector, exploiting vulnerabilities and leaving severe disruptions in their wake. Although Tucson’s large, urban district of 42,000 students and Nantucket’s small island district with fewer than 2,000 students seem worlds apart, both fell victim to sophisticated attacks within a single day in early 2023. These incidents led to school closures in Nantucket and compromised personal data in Tucson, underscoring a nationwide trend of escalating cyber threats against educational institutions.

Ransomware attacks, where criminals lock down digital systems and demand payment to restore access, have increased dramatically in the K-12 sector. The K12 Security Information eXchange (K12 SIX), a nonprofit dedicated to protecting schools from cybersecurity threats, reports a substantial rise in these incidents, with over 325 ransomware attacks targeting public K-12 schools between April 2016 and late 2022. Since then, there have been nearly 85 additional attacks through October 2023. In many cases, attackers use double or triple extortion tactics, stealing data and threatening to release it on the dark web if payment is not made. This stolen information, often highly sensitive personal data about students and staff, presents long-term risks such as identity theft and fraud.

Roberto Rodriguez, Assistant Secretary for the U.S. Department of Education’s Office of Planning, Evaluation, and Policy Development, notes that K-12 schools face an estimated five cybersecurity incidents per week. The harm extends beyond logistical and financial costs, impacting the emotional well-being of students and staff while raising national security concerns, as international criminal groups frequently perpetrate these attacks. Amy McLaughlin of the Consortium for School Networking (CoSN) views these attacks as not just on schools but on the concept of free public education itself, emphasizing the systemic nature of the threat.

A key reason why schools are particularly vulnerable lies in the wealth of digital assets they hold—such as names, birth dates, Social Security numbers, and financial records—paired with limited cybersecurity budgets and resources. Despite the high stakes, many schools lack the technology and staff necessary to fend off these sophisticated attacks, often due to constrained budgets. Only two-thirds of school districts have dedicated cybersecurity staff, according to CoSN, and a further 12% do not allocate any funds toward cybersecurity. The situation is further compounded by a lack of uniform federal cybersecurity standards across the education sector.

Adding to the challenge, many schools are managing an overwhelming number of digital tools, with the average district deploying 2,739 ed tech tools during the 2023-24 school year, an 8% increase from the prior year, according to a report from Instructure and LearnPlatform. The sheer volume of digital tools in use opens up new avenues for cybercriminals to exploit, as each tool can potentially harbor vulnerabilities if not adequately secured.

The lack of standard protections like multifactor authentication, limited cybersecurity staffing, and fragmented response protocols make K-12 schools an attractive target for cybercriminals. Many schools also maintain trusting environments focused on nurturing, which, while essential for education, can inadvertently make it easier for criminals to take advantage of these vulnerabilities.

The Department of Homeland Security’s 2024 threat assessment highlights the near-constant targeting of K-12 schools by ransomware, attributing this trend to schools’ limited cybersecurity budgets and resource constraints. As cybercriminals see success with ransom demands, they are encouraged to continue targeting schools, amplifying the urgency for districts to prioritize and invest in cybersecurity measures to protect against these persistent threats.

Ultimately, to safeguard students and staff and ensure the integrity of educational systems, the K-12 sector must confront this escalating challenge by adopting robust cybersecurity strategies, securing adequate funding, and fostering a culture of cyber awareness across school communities.