Hackers are leaking children’s data — and there’s little parents can doSeptember 11, 2021
Most don’t have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren.
The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It’s also swept up school districts, meaning files from thousands of schools are currently visible on those hackers’ sites.
NBC News collected and analyzed school files from those sites and found they’re littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children’s information is leaked.
Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Public school systems are even less equipped to protect students’ data from dedicated criminal hackers than many private sector businesses, said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats.
“I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed,” Levin said. “And I don’t think people have a good handle on how large that exposure is.”
For more than a decade, schools have been a regular target for hackers who traffic in people’s data, which they usually bundle and sell to identity thieves, experts say. But schools have never had a clear legal mandate for what to do after hackers steal their students’ information.
The recent rise in ransomware has escalated the problem, as those hackers often publish victims’ files on their websites if they don’t pay. While the average person may not know where to find such sites, criminal hackers can find them easily.
Scammers can act quickly after information is posted. In February, just a few months after Toledo Public Schools in Ohio was hit by ransomware hackers who published students’ names and Social Security numbers online, a parent told Toledo’s WTVG-TV that someone who had that information had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.
In December, when hackers broke into the Weslaco Independent School District near the Texas southern border, staff members moved quickly to alert more than…