Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss a recent ransomware attack on the Penn-Harris-Madison school district in Indiana, including a broader look at how cyberattacks are impacting K-12 schools across the country. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing forensic information on all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Scott, thanks for joining me.
Scott: Yeah, great to be back here with you, David.
David: So, we had an interesting breach recently that we were going to talk about today. It's not the sort of thing that happens all the time. We often talk about attacks on big companies or government agencies, or what have you this time. It seems to be an attack on a public school district, which is interesting for a number of reasons we'll get into. But what's happened here? First of all, tell us about it.
Scott: Yeah. Well, it looks like the Penn-Harris-Madison School was the victim of a ransomware attack and not a huge school district, but decent size, and they're based out of Indiana. I think they have a little more than 11,000 students there, 15 schools, 11 elementary schools, 3 middle schools, and then one high school, and then they've got think about a little more than 1,200 staff members mixed up with teachers and assistants, and so on, and so forth, so still affected a lot of people. And I think maybe, in this case, look at something like this as a good wake-up call to those in the world of education, and a good reminder, even though it doesn't sound like a lot of things were necessarily compromised as far as confidential information. It still put them on alert, and I think, and caused a lot of disruption, and I think that sometimes the fallout of a lot of these ransomware attacks. It causes people to panic and wonder what was taken wasn't taken. How do we proceed? Are we going to get paid? Whatever the case, do we have to take tests? Maybe kids are thinking so, which causes a lot of up-in-arms. I think.
David: You raise a good point. I mean, it's not just about the impact on the teaching. And apparently what's happened is in response to this, they've switched to kind of backup procedures. They've been trying to work around it a bit. The IT people shut down all network-connected desktop computers. So that's basically anything that's potentially going to be getting on the network that way. So this is, I mean, this is a typical kind of response. But the impact, as you said, I mean, goes to even to the point of do the staff get paid? Can teachers work around it? What happens to the students' learning and the continuity of that? As it turns out, it seems to have been a somewhat conveniently timed attack because the students were about to take their SATs and the iReads, which is an elementary-level test. Is it a coincidence, you think?
Scott: I don't know. I started to wonder. Maybe this wasn't the traditional hackers that were performing a ransomware attack. Maybe this was a student that maybe doesn't do too well on their test, but they excel in the world of cyber and computers. Who knows I'm just speculating there, but I think it certainly could have happened. I know I've even heard in the school district that my kids were in that some interesting things happened around testing time and similar types of things where suddenly computers couldn't be accessed and grades were changed, and there was a whole hoopla and investigation that ensued. But those were not hackers. Those were just students trying to make a name for themselves and kind of rebelling against the system. So things do happen. But this looks, I would say, this is more likely a hacker that came in here, and it was a true traditional ransomware attack that we're seeing the result of, and really the disturbance that it causes, I think is kind of a pain. But one thing I should add is I thought it was interesting. When I was reading over the articles and doing a little research, they did respond quickly, and they meticulously scanned the entire network. I think they mentioned it was about 96 TB. They had to go through quickly, and they were able to identify and eliminate all the infected files there which allowed them to work toward restoring all data and operations back to normal functionality. I think that it's good to have that kind of plan where, if and when something happens, you can jump in and you can get things back up quickly. I think that's imperative. And it's true of anybody. Not just in schools but especially in the healthcare sector, critical infrastructure, and small businesses. Everybody needs to have a plan for how to respond if and when they are a victim of a ransomware attack.
David: Yeah, it's so very important, and it sounds at least like they were able to get onto this with some level of order, as it were. It would definitely have been chaotic, I mean, back in our day, when people wanted to disrupt exams, they just pulled the fire alarm right or the cherry bombs in the toilet, or something like that. But these days it's a lot easier to do and to interfere with things. I just have this image of Ferris Bueller sitting there and changing his grades, you know, logging in and hacking the servers. There are so many ways to mess this stuff up. It is an interesting space, even just the K-12 space. You don't hear as much about the defenses that they have in place, and you assume that there's so much focus on teaching, on delivering the services that having that kind of backup plan may be an afterthought for a lot of these organizations. Do you feel like they're particularly, I guess, exposed in this sense that maybe broadly, may not have thought about this kind of thing too much?
Scott: I do think so, and in part, oftentimes, it does come down to, unfortunately, the mighty dollar. Not enough budgets go into school systems despite the ever-increasing taxes that go toward the education sector. At least here in the States. They're probably not doing enough and that's a concern. I think there was one interesting stat I came across. This was in 2023. This is from from Cybercrime Magazine, but it mentioned approximately 80% of K-12 educational institutions experienced ransomware attacks with an average remediation cost of $1.42 million per incident. That surprised me. It affected more schools than I thought, and then the damage was actually kind of astounding because when we talk normally about ransomware in different sectors that are affected, I mean, in 2025, we're talking. It's supposed to reach 10.5 trillion dollars. This is globally, now. All of the cybercrime costs and damage a big chunk of that is coming from schools and the education side here. So yes, this is definitely a wake up call to all schools that are listening. I think that they need to make sure that they're doing the basics, at least, and get that in place. So they're not a victim, too.
David: So very true. And it seems strange that anyone would even target, you know, a K-12 sort of school. I mean, budget restrictions are legendary in this space. There's not enough money to even do what they need to do or want to do in terms of teaching or service delivery. They're always inevitably running on a shoestring in most places, and so it doesn't seem like any cyber criminal would be really hoping to get much out of them. You know. Blood from a stone, truly, in this sector are always generally struggling financially, which I guess begs the question of, you know, could this just be a student with their parent's credit card that's gone out and done a ransomware-as-a-service, and decided to just sick the forces of ransomware evil on a teacher they don't like, or something like that?
Scott: It very well is possible these days because it doesn't cost that much to hire a cybercriminal or ransomware as a service, and the student, they have a little bit of extra bucks there, and they have a grievance with somebody, and they want to take care of it the way they think it's okay to do. And as we know, that's certainly a crime, and nobody should be doing those types of things, but I think the fact it's so easy to do. And there's a level of anonymity to it, too, that that helps, maybe, that somebody could kind of hide behind it and say, "Well, I didn't do it," and yet they secretly hired somebody as a service there to take care of it or take the school down during SAT testing time, or something like that very well could be.
David: It wasn't me. Nobody saw me. You can't prove anything right? Yeah, what can the State do? I mean, there's always an issue of jurisdiction levels of responsibility. These schools tend to be run at a local level. Is there a role for States to step in and provide support, cybersecurity, and support across all of the elementary and high school level organizations that they are sort of within their jurisdiction? Is this, maybe, a time to rethink how those reporting control and support structures work?
Scott: You bring up a really good point, David; I think states should be involved more, and they should be mandated to come in and really provide the help that is needed so they can get back up to snuff and get educators going again and get students learning again. And some of the things we always talk about with schools come down to budgets. But there are some basic things that they can do that really don't cost that much. Don't have a huge strain on the budget. I'm thinking just about the importance of training staff, training students, developing good cyber hygiene, and developing a good cyber posture. Those types of things do go a long way within a school. Things like, you know, we've heard of phishing simulations, awareness training, those types of things, kind of wake you up to possible threats and prevent some of these things from actually happening. Prevent that person, the innocent staff member, the new staff member, from clicking on that phishing email which leads to a, you know, a ransomware attack taking its full effect. So I would really think that States should push that and get the staff up to speed, training, and have regular cybersecurity awareness even for the kids that are going to school. I know my children. When they went through school they did have that each year, and they had regular training, which I was kind of encouraged when I heard that and they would come home and ask me questions about, "Dad, you know it's important to have a strong password, and you know we use multi-factor authentication when we go on with our Chromebooks," and other things like that. And I said, You know what tax dollars are being well spent there. That's good to hear that they're teaching them at a young age, because I think there is a level, and maybe it's my generation, I can't speak for everybody that didn't get that type of education in school from a cyber perspective, and they're a little bit complacent because I still hear of people, you know, in their forties and fifties that are reusing passwords, and say, "Ah it won't happen to me," or this or that, and that's not good. But the younger generation, maybe because they grew up on technology and smartphones more, they seem a little bit more adept at it, and you tell them, hey, you got to do what MFA is and they get it and they understand it. I don't think it stops them from swiping and clicking and things like that because they're more social media savvy. But I think they can learn better and really assimilate the importance of good cyber hygiene.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now, back to the podcast.
David: We're at a good point in time because things like MFA are well established enough, technologically and conceptually, that if we just say to our kids, this is how you get online, they'll accept that it's like, I think, driving, you know, with a seatbelt. There was a time when people didn't think about seatbelts, and we had to then get used to the idea of putting a seatbelt on which makes sense. But for a lot of people, it wasn't habit. These days, I don't think anyone learning to drive would even contemplate not putting their seatbelt on just as a matter of course. And I think the same seems to be happening from what you're saying within schools. So that's definitely a good thing. We're stepping in the right direction to just make it part of how you get online to be secure.
Scott: Yeah, I do think that really, really is a key. That's a good analogy that you provided, too, because that's something we can all relate to. It's a generational type of thing, but we do see a clear distinction between maybe the younger students in a school. I think honestly, probably the problem may be staff and administrators more so than the students sometimes, so maybe start there at the top and work their way down to keep schools safer. That would be good. And I think if States mandated things, and some do, I should say, and some administrations take it more seriously than others, but having the regular backups of critical data, and of course, making sure it's immutable backup, so it can't be altered and modified. They have to be careful what they're putting on the cloud, segmenting the networks, depending upon how the school systems are set up. If they've got grades and curriculum and different access to a lot of different apps, they may want to have proper segmentation of the network. And, of course, the normal things, like firewalls, intrusion detection systems, VPNs. A lot of schools are starting to learn about the importance of that. And I think just the basics. If the State can help push that, that will go a long way from the technical side, where a lot of people get kind of uncomfortable and hear acronyms like MFA or VPN. And their head kind of spins. Well, go in there and help them set it up properly, especially with the Wi-fi, because in the schools around here, everybody's on their devices. Wi-fi is allowed, and it's part of a need because they have issued computers and notebooks, and they have to be able to pull down the work. And they have to upload files to Google Drive and other things like that. So it's really part of the learning process. So to really have a seamless interaction between computers, the network, the Wi-fi, and securing it all. It's really paramount for schools to get this up and get it right.
David: Definitely. And it's interesting you should mention that because so the alert that initially went out to the parents of the PHM District because everybody was notified about what was happening. It did say that, you know, we're shutting down everything connected to the network, but also that the staff and the student computers, the Chromebooks, the laptops, the cell phones, tablets, you know, other Wi-fi stuff, the cloud-based applications that they're using, that all remained safe, which is an interesting distinction to make because you would think anything connected to the network, whether it's physically or by Wi-fi, you know, potentially could have been affected here. What's the reason for that distinction, do you think?
Scott: Yeah, I don't know. That is a good point there because I started to wonder, was it discovered fast enough? And were they able to remove the threat? So other things couldn't be accessed, so they weren't able to work laterally across the network. And now start compromising other areas because it didn't seem like they really got that much. I think somewhere I read, there was less than 1% of the actual student documents were actually accessed. And none of that contained actually sensitive data. Of course, a lot of times, these reports come out, and then later on, after investigation, they say, oops, wait a minute. All the passwords were compromised, or oh, they did have access to the grades, or oh no, they did access the social security number. So the jury's still out, as they say, but it looks like they didn't get anything really sensitive. And maybe it's because they reacted quickly, and the cybersecurity came in for that district and said, Oh no! Somebody clicked on the wrong thing. Here's what happened. Let's stop it. Let's remove it. Shut everything down quickly, and they were able to get things cleaned up and back running fast. That's my guess because this is kind of positive news. Usually, it's too little too late that happens in these types of ransomware attacks, and we didn't hear anything either about whether they went for any type of double or triple extortion where maybe beyond just encrypting the data, they actually exfiltrate sensitive information, and they kind of hold it hostage and say, "Hey, we're going to release this. If you don't pay these demands," or we're going to do this or make it go public. So a lot of times it escalates. And there's different levels of things that can happen beyond just a basic ransomware attack where information is encrypted and then they're holding out the, you know, the magic key to pay the ransom, that type of thing. So I think they caught it in time, basically.
David: Well, that's always a very good outcome and not always the case for organizations that are hit in this way. You've got to wonder. I mean, this is a well-regarded school district as well, and you've got to wonder whether it was just someone trying to cause reputational damage, you know. Oh, your students won't be able to do the SAT this time around, you know. Good luck getting into college right? That sort of thing. I mean, there are so many potential motives for this beyond the financial. Each one of those can affect how this plays out in terms of the way that the schools respond in terms of the way that the parents respond. You know we can't trust this school district. Maybe we should move. You know, there's any number of possibilities there that could see this play out in different ways.
Scott: Yeah, I'm glad you brought that up because it's another angle. I didn't exactly think fully about how a brand can get tarnished a school does have a reputation in a district, and sometimes people will live in a particular district because of the school. Maybe they grew up there, and they and they liked it. They liked the staff. They like the teachers. They like the schools. Maybe they're part of the parent teacher organization, and they contribute, and they're there at the bake sale, or they're there with the sporting teams or whatever they're showing their support. And they have a vested interest. Now, when a brand is tarnished a little bit, they may rethink and say, You know what, maybe we're going to move out of this district. Maybe we're going to go out of state, or we're going to go here or there, because that's really a good point there, because those types of things do happen. We see that more often in the world of business. And hey, how do the shareholders feel? How do the employees feel? Is the stock going to take a hit? How do they rebuild the damage from the brand and all of those types of things? But the same is true in a school has a brand and a reputation. It needs to uphold its reputation in line with the good education that it's hopefully providing to those students who are attending.
David: Absolutely, very, very true. I mean, ultimately it comes down to, I think, the ancient philosopher, Plato said, "It best be true to your school like you would to your girl or your guy." Be true to your school.
Interesting times definitely. Scott, I really appreciate your time as always, thanks so much for joining me today.
Scott: Yeah, thank you for having me here. Stay safe.
