Ransomware attacks show vulnerability in Iowa schools

In July 2019, Superintendent Devin Embray found out that the Glenwood Community School District, in Mills County, was held hostage by foreign ransomware attackers.

The hackers encrypted student data that included schedules, contact information and demographic facts, making it inaccessible to the school’s administrators, Embray said. The attackers demanded $130,000 worth of cryptocurrency to unlock the encrypted data. Glenwood ended up paying $10,000 in ransom.

“There was really nothing we could do on our end,” Embray said.

The 2019 Glenwood attack is just one example of a surge in ransomware attacks on Iowa schools. While Glenwood chose to publicly acknowledge the incident, many schools that are targeted do not. Most attacks go unreported and communities are left in the dark about what happens to their private information and taxpayer dollars.

Aaron Warner, chief executive officer of ProCircular, a cybersecurity firm in Coralville, said hackers usually demand between $2 and $10 million from larger school districts.

For schools, increased ransomware attacks bring steep insurance costs, rigorous requirements to qualify for insurance and, in some cases, disruptions in education.

“I would say that every school is attacked in one way or another every single day,” said David Fringer, the executive director of information technology at Green Hills Area Education Association near Council Bluffs.

Fringer said larger schools are appealing targets because they have more money, but it is easier for ransomware criminals to attack smaller schools. He said ransomware groups demand lower amounts from smaller schools but attack more of them.

Recent ransomware attacks on Iowa schools include those in 2022 that hit the Cedar Rapids Community School District, the Linn-Mar Community School District and the Davenport Community School District. Unlike Glenwood, these schools did not voluntarily disclose details of their ransomware attacks, including how much ransom was paid, to prevent sensitive information from being leaked.

The Linn-Mar school district initially described its cyberattack in late July as “technical difficulties” within the school’s servers. A notice filed later with the Iowa Attorney General’s Office said that names and Social Security numbers of thousands of current and former employees — but not student data — may have been stolen during the attack.

The Cedar Rapids Community School District informed parents that a ransom was paid but did not disclosed the amount. The ransomware attack on the Davenport Community School District was made public by the criminal group, known as Karakurt in a post on the dark web where it threatened to release students’ personal information online.

Fringer said schools are advised to handle ransomware attacks privately.

“It is the belief of the FBI and the Department of Homeland Security that once the who and the how get out about cyber incidents, it encourages other attacks,” he said. Others, however, argue that the schools’ secretive handling of the attacks fuels skepticism.

Randy Evans, executive director of the Iowa Freedom of Information Council, a nonprofit that advocates for open government, is calling for schools to disclose ransomware attacks and payment amounts.

“Government entities belong to the public and not to government officials,” Evans said, referring to the Cedar Rapids district attack. “The owners of the Cedar Rapids school district ought to know: did they pay a ransom, how much did they pay, what assurances they have that the problem is resolved?”

Evans said Iowa’s Open Records Law allows public records dealing with cybersecurity to be kept confidential. But he said he is concerned that the public does not understand the magnitude of the problem and noted that the Cedar Rapids and Davenport school districts are Iowa’s second and fourth largest school districts.

‘Nothing more important’ than kids

ProCircular’s Warner said attacks on K-12 institutions accounted for most of the ransomware cases his firm handled in the last six months. “They're targeted primarily because of their sensitivity to downtime. There are a lot of very time specific pressures in the education world that maybe don’t exist in other industries,” he said.

He also said the involvement of children can make districts more willing to pay. Ransomware groups often publicize who their victims are to encourage parents to pressure schools. “When a bad guy holds a school hostage, the stakes go up because there’s nothing more important to people than their kids,” he said.

Warner said one of the best ways schools can mitigate potential ransomware losses is by purchasing cybersecurity insurance. He said costs depend on several factors, such as a school security system’s maturity and the number of cybersecurity incidents that previously have occurred. But costs are rising.

Fringer said annual cyber insurance costs for the Green Hills AEA was $23,000, but that would be on the lower end because the AEA doesn’t serve students directly. Annual costs for the Council Bluffs school system three years ago when he worked there until June 2020 went from near $15,000 to $30,000 and then as high as $50,000 over a few years, he said. The district had 9,500 students and 1,200 staff.

Insurance companies also have increased the number of security requirements, such as having multi-factor authentication for faculty and students.

“Insurance policies have gone from a one-page question questionnaire to a 35-page audit, and schools often need assistance to get through that to even get insurance,” Warner said.

Vivien Guo and Makenna Mumm contributed to this story, which was produced as part of a University of Iowa School of Journalism and Mass Communications project.