Aftermath of a Phishing Attack
February 01, 2024
Appears in February 2024: School Administrator.
Following a significant financial loss, the Atlanta Public Schools shares its story to motivate others to create safer cyber environments
In early September 2017, as Hurricane Irma was forecast by the National Weather Service to strike the metro Atlanta area, school districts across the region made quick plans to move to remote learning. Employees in the Atlanta Public Schools were asked to work from home to stay safe.
It was during that time that we started receiving phishing e-mails targeting thousands of our employees over several days. These e-mails took on several varied forms, all intended to lure our employees to “reset” their passwords. At the time, we already had a well-developed process in Atlanta for handling these phishing e-mails, and we swung into action to contain and address them.
Just as quickly as the e-mails landed in our inboxes, they suddenly stopped, and we thought we were out of the woods.
Compromised E-mails
September 29, 2017, should have been another ordinary day, a “payday” in the Atlanta Public Schools when the district’s 9,500 employees (including substitute teachers and hourly employees) were looking forward to receiving their paychecks for their hard work. Then, our payroll team started getting calls from employees who did not get paychecks. First, it was a handful of employees. When it was all said and done, 34 employees were missing paychecks.
As our technology team investigated, we quickly discovered the extent of the issues and were able to link them back to the phishing attacks. These employees had fallen for the fake password “reset” e-mails and had unknowingly provided their login credentials during the attack. The bad actors had compromised their e-mails and direct deposit accounts and had routed the paychecks to ghost debit cards. The money was gone.
We immediately engaged federal and local law enforcement agencies and hired cybersecurity experts to work alongside our team to determine the extent of the compromise. Our main goal was to enhance our protections and ensure the criminals had not compromised other critical systems. We worried that private information relating to employees and students had been exposed.
While this incident was financially motivated, it marked a significant turning point in our cybersecurity program. It helped us instantly get the attention and seriousness every program deserves in a K-12 school district.
Expensive Expertise
Every technology leader fears the day their informational and instructional technology systems will be the target of an outside attack. This fear cuts across all industries, from banking to energy production to health care and education.
In education, district leaders and chief information officers (where they exist) are responsible for implementing the systems, processes, people, and technology to prevent these intrusions. When posting jobs to hire cybersecurity engineers, district technology leaders need the resources to compensate knowledgeable and experienced staff. Competition for their skill sets comes from the private sector with its greater financial resources, making it harder to attract the best talent. District technology leaders operate at a disadvantage due to limited budgets.
While cybersecurity always had been considered necessary in the Atlanta Public Schools, the program did not receive nearly as much funding as in the year immediately following the attack, which was crucial in helping us invest significantly in our program.
Platform for Urgency
Security is not an exact science and often involves building layers around your critical assets and infrastructure to make it difficult for bad actors to attack those assets. Therefore, creating a safe cyber environment for schools involves a combination of technical measures, policies, and educational initiatives. These include (1) implementing robust network security; (2) securing personal tech devices of students, teachers and staff; (3) implementing user authentication strategies; (4) providing cybersecurity awareness training for students, teachers and staff; (5) updating software regularly; (6) securing Wi-Fi networks; (7) implementing data backup and recovery strategies; (8) developing incident response plans; (9) implementing Internet content filtering; (10) collaborating with law enforcement; (11) performing regular security audits; (12) implementing privacy policies; (13) involving parents and guardians; and (14) collaborating with informational technology professionals.
While it is expensive for schools to be proficient in all of these areas, the district’s tech leadership must work with superintendents to build a comprehensive cybersecurity program and prioritize the areas to be addressed first while working to improve other areas.
In Atlanta, the incident with the employee paychecks gave us a platform to advocate for urgent initiatives to be implemented immediately. Because we had an audience with the superintendent and chief financial officer, we could make the case for several technology tools to scan and filter our e-mail system for phishing attempts.
Collaborative Measures
Superintendents and their cabinet members can support their technology leaders in several ways before a cyberattack (preventative) and after an attack (curative).
Technology leaders will need their support to rally employees and students very quickly around any cyber initiatives that may be needed to counter or limit the impact of the attacks. District technology staff may be unable to do this themselves in the relatively short period it will be needed.
Collaboration also will be needed to develop short- and long-term budgets to address the immediate resource needs and build a sustainable program for years to come. We also requested additional funds to hire a cybersecurity firm to aid in the investigation immediately. While we ultimately did not use it, we had support from the superintendent and the chief financial officer to offer free credit monitoring should any employee learn his or her personal data was exposed. In the months following the incident, we worked with the budget team to fund other security measures.
While regularly providing status updates to our senior leadership, this experience also allowed us to collaborate with other internal division leaders. We worked with our chief human resources officer to incorporate cybersecurity awareness training into the annual ethics training required for all employees. We worked with the C-suite executives to enforce compliance with the cybersecurity training for all their employees. Our leadership team also consented to periodic “mock phishing” exercises where employees who failed to identify the potential threat would be enrolled in additional training.
Unknown to us then, several other school districts nationwide had experienced the same attacks we experienced in Atlanta. Because most of us don’t share cyberattack information openly, we had no opportunities to learn from other school districts (which might have prevented us from financial losses). As a result, we have made it our mission to share our story. We have since openly shared details of our attack with other school districts, especially our counterparts around Atlanta. The goal is to increase information sharing and learn from some of the best practice initiatives deployed across our state.
We see the Atlanta Public Schools case study as a compelling testament to the importance of a comprehensive and proactive approach to cybersecurity in K-12 education. School districts can bolster their defenses, mitigate risks and create a resilient cyber environment to benefit students, teachers and staff through continuous advocacy, collaboration and information sharing.
Olufemi Aina is the executive director of information technology for the Atlanta Public Schools in Atlanta, Ga.
By Kelly B. May-Vollmar
As a former chief innovation and information officer turned superintendent, I am keenly aware of the importance of the relationship between a school district’s technology leader and a superintendent. When considering cybersecurity, data privacy and related issues, the superintendent has a responsibility to support the district’s technology leader, but what does that look like in reality?
Primarily, it’s the relationship that matters.
In Desert Sands, a school district in Southern California with about 26,000 students, we have spent several years working to ensure our chief innovation and information officer has a seat at the table and a strong relationship with the superintendent. When I became the CIIO, I quickly realized important decisions about technology and cybersecurity were being made without me being in the room. Thankfully, when I approached the superintendent and asked for access, he was supportive.
I highly recommend that superintendents find ways to build the relationship with the chief technology officer. Now that I am superintendent, my CIIO is a member of our executive cabinet, and we meet regularly. We also attend the Consortium for School Networking and International Society for Technology in Education conferences together.
Lending Voice
The Wallace Foundation, in its publication “Strong Leaders, Strong Schools,” states that “effective professional development should be ongoing, embedded in practice, linked to school reform initiatives, problem-based and tied to the individual’s strengths and weaknesses.”
As a superintendent, it can be challenging to stay current on technology in K-12 education as advancements are rapid, thus making professional development in this area necessary.
In addition to the professional relationship between the superintendent and technology leader, support also matters. Recently I was standing near a technician who was onboarding a senior district leader. The technician, being respectful, said, “We strongly encourage you to set up two-factor authentication.” I quickly stepped over and informed the new senior leader that it wasn’t just encouraged, it was required. I then called my technology director and asked that the technicians start saying, “The superintendent has required two-factor authentication be set up on your account.”
When determining how to support your technology leaders, consider your role as an instructional leader. You help to set the stage, collaboratively work with stakeholders to establish goals and expectations, provide direction to the school district and support implementation. Organizational technology initiatives require the same support.
As a former technology leader, I am aware that end users are potentially the weakest link in our organization. In establishing expectations, I recently added a training video on phishing to the list of mandatory staff training. By finding ways to support security efforts, I am supporting my technology leaders.
As a member of the Student Data Privacy Consortium, Desert Sands requires a strict data privacy agreement in any contract where student identifiable information will be shared. Some vendors won’t sign the agreement, which means teachers are sometimes unhappy they cannot use a particular application or software. It is my role to support my technology team by not allowing exceptions to this practice.
Board Understanding
Educating school board members is also important to supporting technology leaders. Cybersecurity initiatives are expensive, and it is the superintendent’s responsibility to inform the board of the necessity and cost implications so they support proposed vendor contracts with full understanding. To be able to do this, the superintendent must stay informed of current technology trends.
As a superintendent, I believe it’s essential to be knowledgeable about the budget required to maintain technology initiatives and keep data secure. As a CoSN board member, I have had many conversations with technology leaders around the country who struggle to help their superintendents understand the vital need of funds for sustaining technology and cybersecurity.
If your district does not have a sustainability plan for connectivity and cybersecurity, working with your technology director to create one is a great first step.
Granted, a superintendent’s time and attention are in high demand. To ensure a safe and secure environment for a school district’s staff and students, prioritizing the relationship with the technology director is of the utmost importance.
KELLY MAY-VOLLMAR is superintendent of Desert Sands Unified School District in La Quinta, Calif.
Olufemi Aina suggests these essential steps for every K-12 school district.
- Invest in the most impactful security measures and build toward a mature cybersecurity plan.
- Reorganize and actively address resource constraints.
- Focus on collaboration and information sharing.
- Conduct independent cybersecurity assessments every 2-3 years (if possible).
- Sign up for free Cyber Hygiene Vulnerability Scanning.
- Connect with your regional Cybersecurity and Infrastructure Security Agency adviser (which is free from the federal government).
The leadership of the Atlanta Public Schools has relied on the informational and tactical resources of these organizations to ensure no recurrence of a phishing attack on its data systems.
- Center for Internet Security
- Cybersecurity and Infrastructure Security Agency: www.cisa.gov/K12Cybersecurity and www.cisa.gov/cyber-hygiene-services
- Electronic Frontier Foundation
- National Cybersecurity Alliance
Author
Advertisement
Advertisement
.png?sfvrsn=53cf74f6_7)
Advertisement
Advertisement