Districtwide email hacks highlight concerns about cybersecurity

Michael Thomas, Managing Editor

Imagine leaving your house having locked all the doors but a window was left open.  An intruder enters and changes all your locks, demanding thousands of dollars to let you back in to gain access to all your valuables and private information.  Would you pay up or cut your losses?

School districts and local governments nationwide have had to decide between paying a hefty ransom or losing vital information as ransomware becomes a startlingly common occurrence.  Organizations lose thousands or even millions of dollars to retrieve vital information hacked by organizations usually operated from outside the U.S.

Ransomware is a unique type of aggressive computer software that aims to access an organization’s private information and withhold it from the owner.  Unlike other types of malware, ransomware does not aim to steal one’s identity or illegally sell the information; instead, ransomware demands victims pay a certain amount to gain access to stolen information. 

Typically, ransomware enters a system through email links that are clicked on; the malware will then lie dormant until attackers decide to use it. 

Cities like Baltimore and Atlanta have not been so lucky, however.  According to “The Baltimore Sun,” a malware attack on Baltimore resulted in $18.2 million in damages after the mayor refused to pay the $76,000 ransom.  In Atlanta, cyber attacks halted everything from computer use to ticket processing. Luckily, the city recently purchased a cyber insurance plan with a $1.8 million premium.

You’ve got increasingly sophisticated and very persistent bad guys out there looking for any vulnerability they can find like local governments, including Baltimore, who either don’t have the money or don’t spend it to properly protect their assets,” Maryland University professor Don Norris said in an interview with “The Baltimore Sun.”

Despite its growing commonality, ransomware is preventable.

“Ransomware is kind of a tax on the lazy,”  New York University computer science professor Justin Cappos said to the “City & State New York.”  “Poorly secured organizations happen to be entities like schools and governments that either haven’t put the effort in to back up their data or don’t have the technical wherewithal to do so.  Assuming you’re doing the very basic things that every organization should do, this shouldn’t be a thing.”

The city of Lodi is an example of preparedness for a ransomware attack.  When hackers demanded $400,000 in Bitcoin to recover the city’s servers and information, the local government was able to switch to its unencrypted backup drives and use outside vendors to continue operations.

According to Lodi City Manager Steve Schwabaur, the city will be spending $500,000 to improve its backup capabilities and cybersecurity.

On a much smaller scale, Lodi Unified School District recently went through an email hacking scare itself, which raises the question: how secure is our cyberspace?

Teachers have developed a habit of using the same password for their school email as they use for outside websites.  When these websites are compromised, hackers then have access to the recycled password which might just unlock their current email.

Joyce Dedini, a _____ teacher at Bear Creek, was a victim of email hacking, though the cause cannot be confirmed.  An email was sent to the district’s payroll by a hacker, requesting her direct deposit be changed. Teacher’s email passwords give them access to a variety of different private privileges and sites.

“With my password, they’re able to get into all my emails, all my lesson plans, [my password] is connected to the gradebook and professional development classes… it could [also] get into Chromebook technology,” Dedini said.

However, Dedini, after being contacted by payroll and technology, was able to change her password and secure her email. 

“It’s a good reminder for teachers to keep their passwords unique,” Lodi Unified Technology Director Edith Holbert said.  “Passwords compromised on the web allow other organizations to enter the system.” 

Although this was a small scale intrusion compared to some unlucky cities, it’s a humble reminder for teachers and Technology Services alike to stay up to date with their cybersecurity.

“There’s always smart people who are going to be able to get in, and then there are stupid people who hand out their password,” Dedini said.