When the Albuquerque Public Schools superintendent announced earlier this week that a cyberattack would result in the cancellation of classes for about 75,000 students, he noted that the district’s technology department had been fending off attacks “for the past few weeks.”
Albuquerque is not alone, as five school districts in the state have suffered serious cyberattacks in the past two years, including one district that is still grappling with a cyberattack that hit just after Christmas.
But it’s the first time a cyberattack has been reported that required classes to be canceled, which is all the more disturbing as schools try to maintain in-person learning during the pandemic.
“If it seems like I’ve come to your house many times over the last few years to share difficult news with you, then you’re right. And here I am again,” Superintendent Scott Elder said in a video address Thursday. “We face another challenge.”
The Thursday and Friday closures affect about one in five schoolchildren in New Mexico in the nation’s 35th-largest school district by enrollment, according to 2019 data from the National Center for Education Statistics. The district was one of the last in the state to reopen last year as vaccines became available.
The small town of Truth or Consequences discovered a cyber attack on December 28 and still hasn’t gained control of its computer systems.
“We’re not over the hill yet,” said Mike Torres, director of information technology for the school system in Truth or Consequences, a small town in central New Mexico.
The attack has not yet been reported. It came when the students were on vacation to have time to make contingency plans before the students returned. Torres says that while the attack “rendered computer systems unavailable,” the disruption was minimal.
That wasn’t the case in Albuquerque, where teachers Wednesday morning discovered they were locked out of the student information database, which tracks attendance, records emergency contacts for students and tracks which adults are allowed to pick up which students at the end of the school day.
In 2019, Las Cruces Public Schools also suffered an attack on its student information database after a phishing attack tricked one or more staff members into clicking a malicious link in an email months earlier, recalls Matt Dawkins, the director of information technology for that district.
After one or more hackers spied and spied on the district’s system, they carried out a ransomware attack. Data on many school computers, beginning with the student database, was locked in an encryption. A ransom was demanded for the key.
“It’s kind of like having your house robbed, you know? That feeling of being hurt,” Dawkins said in an interview Thursday as his school went into lockdown due to an unrelated police call a mile away.
The school didn’t pay the ransom and eventually found a way to restore their data systems to the state they were in the day before the attack. But it required months of hands-on work and additional expenses for temporary Wi-Fi hotspots and some new computers. Insurance covered much of the cost of the attack.
Costly cyberattacks have hit at least four other New Mexico schools in the past two years, according to Patrick Sandoval, interim director of the New Mexico Public School Insurance Authority, which insures all counties in New Mexico except Albuquerque.
Targets in the US in 2021 included universities, hospitals and a major fuel pipeline. Data on the number of attacks and their cost is difficult to trace, but the FBI’s 2020 Annual Cyber Attacks Report states that this year around US$4.1 billion (approximately Rs.30498.465 billion) in damages from institutions have been reported across the country.
Dawkins added that if Albuquerque faces a ransomware situation that hasn’t been confirmed, it could face a more complex attack. Instead of holding information hostage, ransomware attacks are now threatening to sell data online to the highest bidder. So not only could student data in Albuquerque be locked up, Dawkins said, but it could also be shared with identity thieves and other bad actors.
Albuquerque Public Schools has not said whether the cyberattack they are facing was a ransomware attack, only that their database of student information was “compromised” and that they are working with law enforcement and contractors to repair the damage to limit.
Whatever the cause, they face a similar problem to Las Cruces in the days following the attack.
The database used to track attendance and other students was down. It was also recognized that laptops had to be quarantined and decommissioned, forcing teachers to work offline.
“Immediately our teaching department turned to pen and paper, you know, kind of an old-fashioned way of teaching, so our print shop printed materials. The teachers were able to adapt very quickly,” said Dawkins.
Albuquerque Public School officials didn’t elaborate on the decision to close schools and didn’t respond to inquiries Thursday about why a paper system wasn’t possible.
The decision to continue teaching at Las Cruces came at a price. Dawkins said it likely took longer to wipe and reset the school’s thousands of computers while teachers and administrators worked normal hours, and they had to live without technology for weeks.
In January 2020, the district’s computers were up and running again and in good time – the pandemic forced teachers and students to take up distance learning just a few months later.
Check out the latest from the Consumer Electronics Show on Gadgets 360 in our CES 2022 hub.