(The Center Square) – When hackers stole a rural school district’s computer system last year, students in the middle of midterm exams were left frustrated, but concerns went far beyond testing.
Cafeteria staff scrambled to help students who depended on school meals. Parents searched for childcare when district officials canceled classes. Seniors worried about college application deadlines while transcripts were inaccessible.
A report from the Center for Internet Security found such attacks are becoming more sophisticated, more frequent and more damaging to K-12 schools. CIS runs the Multi-State Information Sharing and Analysis Center with the goal of better overall cybersecurity posture for governments at all levels through coordination and collaboration.
The 2025 CIS MS-ISAC K-12 Cybersecurity Report found 82% of K-12 organizations experienced cyber incidents. Of the nearly 14,000 security events, 9,300 were confirmed. It also found that attacks surge during high-stakes periods such as exams, disrupting education and forcing officials to make difficult decisions.
Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, said cyber attacks at school can have “huge, broad implications.” He pointed to the unnamed rural school district highlighted in the report. Like many other schools, it serves as a central hub in the community and school disruption can create a cascade of community problems.
“Schools are really central to a community. So when they’re impacted, it’s far beyond just kids in classrooms,” he told The Center Square. “We’re talking about their kids who only eat when they’re in school. So if they’re out of school, there’s no food. There are parents whose lives are disrupted because they’re unable to work, and a lot of those parents don’t have jobs where they can take time off. So if they’re not working, they’re not making money, which has an impact on the local economy.”
Many districts have some form of insurance to cover cyber attacks, but those policies vary widely in what they cover after a breach, Rose said.
“Insurance will cover things like initial incident response. In some cases, they’ll cover ransomware payments. Sometimes they won’t,” he said. “Sometimes they’ll require you to have a particular provider that does ransomware negotiations with the actors. But sometimes they stop short of actual recovery and future implementation.”
What insurance doesn’t cover usually ends up on local taxpayers.
“If you’re having to pay massive amounts of money for restoration and ransomware payments, guess whose taxes are going to go up next?” Rose said.
It can get more complicated when foreign state-backed groups are involved. Some policies might consider that an Act of War, which isn’t covered.
Recovering from cyber attacks can take time, according to a U.S. Government Accountability Office report from 2023. That report found the loss of learning after an attack “ranged from 3 days to 3 weeks and recovery time ranged from 2 to 9 months.”
The GAO report found financial losses to school districts ranged from $50,000 to $1 million. The GAO also noted that the “precise national magnitude of cyberattacks on K-12 schools is unknown.”
Experts said many attacks are not reported. The issue isn’t limited to schools. It can affect the vendors that districts hire. In 2022, a cyber attack on Illuminate Education, an education technology company based in California, affected more than 1 million students, including students in New York, California, Connecticut, Washington, Oklahoma and Colorado.
Josh Bauman is the technology director at Festus R6 School District, located in Festus, Missouri. The district serves about 3,500 students at five schools near the Mississipi River and the state’s border with Illinois. It’s about 35 miles south of St. Louis. Outside of school, he hosts a K-12 Tech Talk podcast on cyberattacks, talking with school officials who have reported breaches. Most of the people on the podcast change details to protect the identity of the schools involved.
He said simple things such as public-facing school calendars can give hackers an advantage. Since they know what’s happening at the school, they can use information to make strikes more damaging, hit at key times, or wait until no one is in the building.
Bauman said that ransomware attacks have morphed into double extortion-style attacks. First, the hackers will gain access, start extracting data, and then encrypt machines. They’ll then ask for a ransom to get the machines back. If the school district pays, the hackers will threaten to post all the information they downloaded to the dark web unless they get another ransom payment.
The latest trend has been hackers impersonating school vendors, which is also often public information that can be found on a district’s website, to switch accounts and steal the money.
Bauman said that as the threats evolve, so must schools. In the case of a key vendor, for example, school officials may ask the company to come to the school in person to change any payment or account information.
But unlike building a new cafeteria, gymnasium or upgrading sports facilities, money that goes into IT to prevent attacks isn’t very flashy. Rarely is it something that district’s are eager to spend money on, but some insurance policies require schools to have things like multi-factor authentication or procedures in place before they’ll offer coverage, Bauman said.
A 2023 report from S&P Global Ratings found that cyberattacks have not affected schools’ credit quality or resulted in long-term operational problems. Successful attacks can prove costly, requiring technology investments, ransom payments, legal fees, cyber security consultant fees and costs associated with credit monitoring services for affected people, according to the S&P report. That report found 50% of providers paid to get data back.
One more problem: When Bauman and other technology directors discuss prevention efforts with school boards, those discussions often occur during public meetings streamed on the web.
“We don’t want to be in a public setting and say, ‘Oh, hey, we’re using product X, Y, Z to protect our edge,’ and keeping in mind that the bad guys know our calendars, and if we’re streaming our board meetings, it’s a huge threat vector, we have to be very careful about what we say and where we say it,” Bauman said.
