Episode 155: Why K-12 Cyberattacks Disrupt Learning And What Parents Can Do

Show Notes

A single ransomware email can steal weeks of learning and years of privacy. I dig into the hard truth behind rising cyberattacks on K‑12 schools: why districts are prime targets, how AI makes phishing smarter, and what happens when student records and critical systems are held hostage. From real breaches that forced closures to vendor incidents that exposed millions of records, I unpack the patterns every parent should know and the practical steps that actually reduce risk.

I talk candidly about the district catch‑22—highly sophisticated attackers versus limited budgets and staff—and the policy landscape that leaves schools to fend for themselves. You’ll hear how inconsistent state laws and a shrinking federal role compound the problem, why under-reporting persists, and what it really costs when systems go dark: lost instruction, emergency spending, and long-tail identity theft for students and staff. 

Most importantly, I share four pointed questions you can bring to your principal or district leader to spark transparency and action. These questions turn concern into momentum and help protect both learning time and personal data. If you care about safer classrooms and resilient technology, this conversation gives you the language and leverage to push for change.

If this resonates, follow the show, share it with a friend, and leave a quick review to help other families find it. Your voice can shape smarter, stronger safeguards for every student.

Love my show? Consider being a regular subscriber! Just go to https://tinyurl.com/podcastsupport. 

Support the show

• Thanks for listening! For more information about the show, episodes, and ways to support, check out these websites: https://k12educationinsights.buzzsprout.com or https: //www.liberationthrougheducation.com/podcast
• Subscribe on Buzzsprout to receive a shout out on an upcoming episode
• You can also support me with ratings, kind words of encouragement, and by sharing this podcast with friends and family
• Contact me with any specific questions you have at: kim@liberationthrougheducation.com

Chapters

• 1:01: Welcome And Mission
• 3:35: The Stakes Of K‑12 Data Breaches
• 7:20: Why Schools Are Prime Targets
• 11:21: How Ransomware Unfolds
• 16:39: Underreporting And Real-World Incidents
• 21:01: State Laws, Policy Gaps, And Funding
• 25:21: Federal Pullback And District Burdens
• 29:02: Case Studies: Flagstaff And PowerSchool

Transcript

SPEAKER_00: 0:36

Welcome to another episode of K-12 Public Education Insights, Empowering Parents of Color Podcast. The podcast that converges at the intersection of educational research and parental actions. It's about making the trends, topics, and theories in public education understandable so that you can implement them into practical, actionable strategies that work for your children. My name is Dr. Kim J. Fields, former corporate manager, turned education researcher, and advocate, and I'm the host of this podcast. I got into this space after dealing with some frustrating interactions with school educators and administrators, as well as experiencing the microaggressions that I faced as an African American mom raising my two kids who were in the public school system. I really wanted to understand how teachers were trained and what the research provided about the challenges of the public education system. Once I gained the information and the insights that I needed, I was then equipped to be able to successfully support my children in their educational progress. This battle-tested experience is what I provide as action steps for you to take. It's like enjoying a bowl of educational research with a sprinkling of motherwit wisdom on top. If you're looking to find out more about the current information and issues in education that could affect you or your children, and the action steps you can take to give your children the advantages they need, then you're in the right place. Thanks for tuning in today. I know that staying informed about K-12 public education trends and topics is important to you, so keep listening. Give me 30 minutes or less, and I'll provide insights on the latest trends, issues, and topics pertaining to this constantly evolving K-12 public education environment. Millions of student data exposed. Was your child's data part of the breach? How would you feel if it was part of a data breach? Helpless? Hopeless? Angry? Upset? That's why understanding this issue's impact on schools is vital. Cybersecurity attacks on schools are happening all too often. More than half of the incidents that have occurred within the last two years were caused or carried out by staff or students, and nearly 60% resulted in students' personal data being compromised. 82% of K-12 public schools experienced a cyber incident between July 2023 and December 2024. This episode is part two of the two-part series on data, privacy, and cybersecurity, and it focuses primarily on cybersecurity risks, their impact on your child's educational experience, and the prevalence with which cyber attacks are targeting schools. If you missed part one of this series on data privacy and data security for your child's school records, check out episode 154. Keep listening to this episode because at the end, I provide four key questions you can ask your child's school principal or district leader to understand the plan of action they have in place in case of a cybersecurity attack. Not taking data, privacy, and cybersecurity issues as serious concerns would be short-sighted on your part. You don't have to be a technologist to understand the risks of data exposure. It's never too late to be up to date on how your children's schools are addressing these issues. Let's gain some insight on this. When a cyberattack happens, schools can lose instructional time as well as thousands of dollars responding to it. This causes huge problems for school districts. Cyberattacks on school districts have become so common in recent years that school district leaders say it's not a matter of if it will happen to the district, but when. One of the reasons for this is that districts rely more heavily on the use of digital technology for instruction and school management also. Cybercriminals are getting more sophisticated due to advances in technology such as artificial intelligence. Education was the fourth most targeted sector for ransomware attacks during the first half of 2025, with an estimated 130 ransom attacks and an average ransom demand of$556,000. Business, including utility companies, as well as government and healthcare sectors, were the top three targets for ransomware attacks. Schools are tempting targets for hackers because they have tons of sensitive data and because schools have become more reliant than ever on digital tools. The challenge is that not only are cyber attacks ongoing, but the complexity and the sophistication continues to increase because they're getting fueled by AI. Many of the red flags that experts used to tell people to look for in phishing attacks, such as weird grammar or tone, can be now solved with generative AI. School districts are essentially in a catch-22 situation, trying to defend against highly sophisticated attackers with very limited budgets and very limited staffing. Here's how a cyber attack can happen. Essentially preventing the district from accessing the data. The hackers agree to decrypt and return the data if the district or its cybersecurity insurance company pays the ransom. Attackers may also threaten to release students and employee data to the public if they are not paid. In some cases, in the past, districts have paid the ransom, but guidance from the FBI and the Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn't guarantee that the data will be decrypted or that the systems will no longer be compromised. Paying cyber criminals also encourages hackers to target more victims. However, as a result of insufficient cybersecurity resources, districts sometimes have to pay ransom fees to get their systems back because starting from scratch would be more expensive. K-12 schools should build a culture of cybersecurity, safety, because cybersecurity is the entire district's responsibility. There should be regular training for everyone who accesses district networks. Many of the data breaches and cybersecurity attacks are likely undetected or unreported. Many of these incidents are significant, resulting in theft of millions of taxpayer dollars, stolen identities, tax fraud, and altered student records. Public schools struggle to secure their networks and protect the sensitive personal information of students and staff. They tend to underestimate cyber threats and are often failing to take even basic precautionary measures. The results of this dynamic have been evident in headline generating incidents, such as the case of two Michigan middle school students hacking their school district for more than two years. While the size and location of districts doesn't seem to directly correlate to their likelihood of falling victim to a cyberbreach, there are signs that school districts serving fewer students in poverty are more likely to be affected. The K-12 Cybersecurity Resource Center report highlighted the top 10 list of K-12 cybersecurity incidents over the past five years. These include an incident in Pennsylvania where the State Education Department suffered a potential breach with its teacher information management system risking the personal information of 330,000 school staff. The Florida Virtual School unwittingly published unencrypted personal information of students and staff, some of which ended up on unregulated dark websites. Roughly 368,000 current and former students, staff, and families were affected by this data breach. Also, a Massachusetts school district paid a$10,000 ransom in Bitcoin after it was hit by a ransomware attack and was unable to access its own email services, school lunch payment services, and their website. A Texas school district was scammed out of$2 million in school construction funds, one of the numerous incidents in which school business officials were targeted in a successful phishing attack, leading to district payments being improperly directed to fraudulent accounts. And another incident is within the Chicago Public School Systems, which disclosed three data breaches in one year alone. A Texas law requires districts to plan for cyberattacks. Will other states follow this example? This law requires school districts in Texas to develop plans to protect online infrastructure from cyberattacks, making determinations of cybersecurity risk and respond accordingly, and designate a cybersecurity coordinator who will be the liaison between the Texas Education Agency and the district. The intent of the law is to push K-12 systems toward having a basic understanding about the need for effective practices in cybersecurity. This law, however, doesn't clearly classify what a cybersecurity incident is. As it stands now, districts could be inclined to report minor cyber incidents and blow them out of proportion for fear of being penalized for not notifying the state. Or they could choose not to report attacks because they're afraid of having a stigma attached to their school district. Although cybersecurity attacks and ransomware affecting K-12 systems have become more common, few states have approved legislation aimed at combating the threat, leaving it in most cases to districts to develop protections. State policymakers across the political spectrum are grappling with how to help K-12 schools respond to mounting cybersecurity threats, even as the Trump administration rolls back federal resources meant to help districts counter such threats. Lawmakers in Arkansas, Massachusetts, Oregon, Ohio, Pennsylvania, and Texas have considered a total of 18 bills in this year alone that directly address K-12 cybersecurity. Of these 18 bills, seven have been active as of July 2025. While federal support for K-12 cybersecurity is in turmoil, several states are advancing innovative legislation to help safeguard student data, improve incident response, expand insurance access, and build the cybersecurity workforce that is so urgently needed. The flurry of state legislative activity in the states and elsewhere comes as the federal government is diminishing its role in helping schools prevent and respond to cyber attacks. For example, the Trump administration recently disbanded a cybersecurity advisory group aimed at giving education organizations a chance to shape the federal response to K-12 cyber threats. The Trump team also cut the K-12 cybersecurity programs that work with government entities, including school districts, on responding to cyber attacks. And then the administration shuddered without explanation the readiness and emergency management for schools technical assistance center. The center offers resources to schools to prepare for active shooter incidents, cyber attacks, and other emergency disruptions. K-12 schools are a top target for cyber attacks, which have been increasingly sophisticated over the last few years. The problem is that many school districts are not prepared to meet that growing threat. More than half of the districts, specifically 61%, don't have dedicated cybersecurity budgets and rely on general funds to cover those expenses. With declining federal resources, states will have to step up to help schools prevent and respond to cyberattacks. And just so you know, there's an increasing number of cyberattacks that now come from outside the United States. Stepping away from helping districts with cybersecurity essentially means the federal government is asking school districts to shoulder the burden of a homeland security problem. Schools stand to lose vital cybersecurity support from the federal government as the Trump administration takes dramatic steps to shrink its size, and the Education Department suspends a major cybersecurity support initiative. Here's the thing. This is one realm where states and schools simply cannot fill the role the government provides. Please be aware that cybersecurity attacks are costly both financially and academically. School districts have lost between$50,000 and$1 million per cyberattack, and the loss of learning time after a cyberattack has ranged from three days to three weeks. Most of the support federal government provides school districts does not come as direct funding, but rather in sharing expertise and intelligence. Schools' infrastructure projects like cybersecurity mitigation are critical. If these infrastructure projects fail, most schools do not have the proper mechanisms in place to respond should a threat occur. Let's look at a couple of examples of real life incidents of cybersecurity attacks. The FLACSTAP Unified School District in Arizona was a victim to a cybersecurity attack so disruptive it forced schools to close for two days. The ransomware, which is a form of malware that typically requests payment in exchange for access to locked computers, was detected when a message popped up asking for payment. The message didn't include a specific dollar amount and it had untraceable contact information. The district didn't consider making a ransomware payment. The Flagstaff situation is not unique. A recent Education Week Research Center survey found that 27% of education technology leaders consider malware and viruses to be a significant or very significant problem. The K-12 Cybersecurity Resource Center has documented 122 publicly reported cybersecurity attacks on schools as little as four years ago. More than half of these incidents were caused or carried out by staff or students, and nearly 60% resulted in students' personal data being compromised. 82% of K-12 public schools experienced a cyber incident between July 2023 and December 2024. Ransomware attacks against schools, colleges, and universities globally increased 23% year over year in the first half of 2025. School districts need to utilize basic cyber hygiene practices, such as deploying anti-malware and anti-phishing technology, ensuring IT systems are backed up, implementing multi-factor authentication, and offering user training, all of which can make a difference to mitigate cyber attacks. Here's another real life case study of a ransomware attack. Power School, which runs the most commonly used student information system in U.S. schools, had a cybersecurity breach that exposed the sensitive personal information of millions of students and educators. School districts that were affected by the PowerSchool data hack last December are now facing extortion attempts by cybercriminals. In the days following that December cybersecurity incident, Power School paid a ransom in exchange for the deletion of the stolen data because the company thought it was the best option for preventing the data from being made public. Since then, a threat actor, which is a term used from cybersecurity subject matter experts, contacted several school district customers of Power School recently in an attempt to coerce them using data that the perpetrator claimed was from the December incident. In North Carolina, where all public school districts and charter schools use Power School's student information system, dozens of Department of Public Instruction employees and local school district staff members were among those who received extortion emails from the threat actor. The hacker asked for Bitcoin in exchange for the stolen data. The North Carolina Department of Public Instruction did not engage with those threat actors. It's important for people to understand that these extortion demands may go far and wide. And it's also important not to show that the recipient of any of these messages is an active account and has an interest in the issue because then they could become a greater target themselves. Power School was providing two years of free credit monitoring and identity protection services for students and faculty affected by the December data breach. North Carolina's contract with PowerSchool expired this summer, and its new student information system vendor will be Infinite Campus, a vendor which has been deeply investigated as far as its security practices. So, what can you do with the information that I just shared and how does it affect you personally? Here are the action steps you can take regarding cybersecurity for your child's records. I hope you are now able to see the connection between the cybersecurity attack at your child's school and the disruption, although it may be temporary, of their educational instruction. That temporary loss of learning time could last from three days to three weeks. Do you feel comfortable with that? Can you handle that? Now you might be thinking, what can I do to determine whether the school has a policy for mitigating ransomware or cybersecurity attacks? Well, you can begin by asking the school principal or district leader questions like one, does the school or district have a point person for cybersecurity? This person should be minimally coordinating across the whole district to ensure cybersecurity best practices are followed. Two, what are the basic cybersecurity protections that the school provides for my child's data? These protections should include things like using spam filters and anti-phishing tools, turning on multifactor authentication, backing up data regularly, and storing the information on a totally different network. Three, does the school have an incident response plan in the event of a cybersecurity attack? And four, how often is the incident response plan practiced? As a general rule, it should be practiced as often as fire drills are practiced. Getting answers to these questions can at least be the start of your understanding about how your children's data are being protected in the event of a cybersecurity attack. You deserve transparency about what data are collected, where the data are stored, and who is allowed to see your child's data. Here are this episode's takeaways. The challenge for school districts in trying to stay ahead of cybersecurity attacks is that not only are cyber attacks ongoing, but the complexity continues to increase because they're getting fueled by AI. School districts are essentially in a catch-22 situation trying to defend against highly sophisticated attackers with very limited budgets and very limited staffing. Although cybersecurity attacks and ransomware affecting K-12 systems have become more common, few states have approved legislation aimed at combating the threat, leaving it in most cases to districts to develop protections. K-12 schools are a top target for cyber attacks, which have become increasingly sophisticated over the last few years. The problem is that many school districts are not prepared to meet that growing threat. School districts need to utilize basic cyber hygiene practices such as deploying anti-malware and anti-phishing technology, ensuring IT systems are backed up, implementing multi-factor authentication, and offering user training, all of which can make a difference to mitigate cyber attacks. What are your thoughts about cybersecurity attacks and the impact they have on your child's data? Voice your concerns by leaving me a text comment on my podcast website, k12educationinsights.budsprout.com. Here's how you can leave that text comment. Go to the episode description page and click on the send me a text message. Again, that's k12educationinsights.budsprout.com and leave me your thoughts in that text message today. If you enjoyed this episode, why not listen to another episode from my catalog? It can take as little as 15 minutes of your day. And remember, new episodes come out every Tuesday. Now, would you do me a favor? Go online right now and share this episode with one friend who you think will love it. Thanks for listening today. Be sure to come back for more insights on K 12 educational topics that impact you and your children. Until next time, learn something new every day.