Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by The 74 shows.
An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents, and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations” that keep key details hidden from the public.
In more than two dozen cases, educators were forced to backtrack months—and in some cases more than a year—later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges, and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public.
The hollowness in schools’ messaging is no coincidence.
That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees.
The attorneys, often employed by just a handful of law firms—dubbed breach mills by one law professor for their massive caseloads—hire the forensic cyber analysts, crisis communicators, and ransom negotiators on behalf of the schools, placing the discussions under the shield of attorney-client privilege. Data privacy compliance is a growth industry for these specialized lawyers, who work to control the narrative.
The result: Students, families, and district employees whose personal data was published online—from their financial and medical information to traumatic events in young people’s lives—are left clueless about their exposure and risks to identity theft, fraud, and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.
Similarly, the public is often unaware when school officials quietly agree in closed-door meetings to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that the surge in incidents has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have stated that when a target carries cyber insurance, ransom payments are “all but guaranteed.”
In 2023, there were 121 ransomware attacks on US K-12 schools and colleges, according to Comparitech, a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the cybersecurity company Malwarebytes reported 265 ransomware attacks against the education sector globally in 2023—a 70 percent year-over-year surge, making it “the worst ransomware year on record for education.”
Daniel Schwarcz, a University of Minnesota law professor, wrote a 2023 report for the Harvard Journal of Law & Technology criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers—often called breach coaches—arrive on the scene.
“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told The 74. “What breach coaches try to do is push right up to that line—and sometimes they cross it.”
When Breaches Go Unspoken
The 74’s investigation into the behind-the-scenes decisionmaking that determines what, when, and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators, and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites.
Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search—even as school districts deny that their records were stolen and cyberthieves boast about their latest score.
