US Hackers are leaking children’s data — and there’s little parents can do
80-mile challenge, bean field ravine, mountain lion attack: News from around our 50 states
Wisconsin school board to reconsider no-free-lunch policy, campaign tries to get Native Hawaiians on board with vaccines, and moreStart the day smarter. Get all the news you need in your inbox each morning.
Most don’t have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren.
Thehas cost companies and institutions billions of dollars and exposed personal information about everyone from to . It’s also swept up school districts, meaning files from thousands of schools are currently visible on those hackers’ sites.
NBC News collected and analyzed school files from those sites and found they’re littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
NBA proposes new set of strict rules for unvaccinated players
ESPN has obtained a memo from the NBA that proposes stringent protocols for the upcoming season for players who are not vaccinated against COVID-19. The memo states that unvaccinated players "will have lockers as far away as possible from their vaccinated teammates and will have to eat, fly, and ride buses in different sections." Unvaccinated players will also be subject to testing on practice days as well as game days and could be potentially be checked twice ahead of games. Other bullet points, as mentioned above, regarding the limited contact unvaccinated players can have with their inoculated teammates.
Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children’s information is leaked.
Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Public school systems are even less equipped to protect students’ data from dedicated criminal hackers than many private sector businesses, said Doug Levin, the director of the K-12 Cybersecurity Resource Center, a nonprofit organization devoted to helping schools protect against cyberthreats.
Paulie’s Push, sweet Connie, VR brain-rewiring: News from around our 50 states
Mothman Festival canceled again in West Virginia, Zozobra burning to be hybrid event in New Mexico, and moreStart the day smarter. Get all the news you need in your inbox each morning.
“I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed,” Levin said. “And I don’t think people have a good handle on how large that exposure is.”
For more than a decade, schools have been a regular target for hackers who traffic in people’s data, which they usually bundle and sell to identity thieves, experts say. But schools have never had a clear legal mandate for what to do after hackers steal their students’ information.
The recent rise in ransomware has escalated the problem, as those hackers often publish victims’ files on their websites if they don’t pay. While the average person may not know where to find such sites, criminal hackers can find them easily.
Scammers can act quickly after information is posted. In February, just a few months after Toledo Public Schools in Ohio was hit by ransomware hackers who published students’ names and Social Security numbers online, a parentthat someone who had that information had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.
School mask mandate ban challenged in new Utah lawsuit
SALT LAKE CITY (AP) — A ban on school districts requiring masks is forcing parents of vulnerable kids to wrestle with the painful choice of whether to risk coronavirus infections at school or keep them at home yet again, according to a lawsuit filed Monday in Utah. Parents like Jessica Pyper say a Utah law that blocks districts from passing mandates wrongly prevents children from getting a safe education. She wants her 10-year-old son Ryker to join his fifth grade classmates this year, but his Type 1 diabetes puts him at serious risk.“It just sort of seems like nobody cares," she said. “Kids with disabilities often get left behind.
In December, when hackers broke into the Weslaco Independent School District near the Texas southern border, staff members moved quickly to alert more than 48,000 parents and guardians of the breach. They followed the FBI’s advice to not pay the hackers and restored their system from backups they had kept for such an emergency.
But the hackers, spurned by Weslaco’s decision to not pay, dumped the files they pilfered on their website. One of those, still posted online, is an Excel spreadsheet titled “Basic student information” that has a list of approximately 16,000 students, roughly the combined student population of Weslaco’s 20 schools last year. It lists students by name and includes entries for their date of birth, race, Social Security number and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged and if they’ve been flagged as potentially dyslexic.
The district’s cyber insurance paid for free credit monitoring for staff, said Carlos Martinez, its executive director of technology. But protections for children whose information was stored by their school and exposed by hackers is murkier. Nine months later, the Weslaco school district is still figuring out what, if anything, to do for the students whose information was exposed, Martinez said.
Mail carrier legacy, pardoning a ‘witch,’ hermit to rebuild: News from around our 50 states
Location of women’s baseball museum not a hit in Illinois, school workers sue over racial equity training in Missouri, and moreStart the day smarter. Get all the news you need in your inbox each morning.
“We have attorneys looking into that right now,” he said.
Ransomware hackers are largely motivated by profits and tend to look for targets of opportunity. That means the information they post online is often a hodgepodge of scattered files they were able to pilfer, and even the school districts themselves may not know what’s been taken and exposed.
The problem is exacerbated by the fact that many schools simply don’t know all the information that’s stored on all their computers, and therefore they may not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was hit with ransomware in June, it alerted parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email.
But NBC News’ investigation of the files leaked from that hack found an audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced price meals. Simpson did not respond to a request for comment about the audit.
Sometimes students’ data is exposed because third parties hold it. In May, hackers posted files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that partners with 11 regional high schools. Those files include hundreds of high schoolers’ report cards from the last school year, all of which are currently visible.
COVID at school? 2 in 3 parents support mask mandates. Many worry kids will get very sick.
Most parents are eager for kids to go back to school, despite delta COVID surge. But they want mask and vaccine mandates in place, a new poll shows.Still, parents are eager for their children to return to classrooms, and they're more skeptical of online learning now than they were last school year.
A spokesperson for Apollo, Allison Overholt, said in an email that the organization was still working to notify students whose information was exposed.
“We are aware of the incident and are investigating it,” she said. “We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible.”
Schools and school districts tend to store a lot of data on children, and often they don’t have the money to pay for dedicated cybersecurity experts or services, Levin said.
“School districts collect a lot of sensitive data on students,” he said. “Some of it’s about its students. Some of it’s about their medical history. It may have to do with law enforcement. It may have to do with broken homes. It is a solemn responsibility that schools have to care for kids, so they collect a lot of data with that.”
Parents are quickly learning that addressing these problems may fall to them. Schools may not even know if they’ve been hacked or if those hackers have posted students’ information on the dark web. And federal and state laws for student information often don’t give clear guidance for what to do if a school is hacked, Levin said.
That leaves parents and children with little they can do to protect themselves from the possibility that criminals will access their personal information and use it to commit identity theft or fraud in their name. The single most important thing they can do is freeze their credit while they’re still underage, said Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft.
“We should for all intents and purposes believe that for the most part, all of our data’s been compromised,” Velasquez said. “We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen.”
Freezing a child’s credit can be time consuming, and doing it effectively requires completing the process with all three major credit monitoring services,, and . But it’s become an essential step for digital safety, Velasquez said.
“We encourage parents to freeze childrens’ credit,” she said. “From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free.”
From Grace Kelly to Princess Charlene: The Endlessly Sensational Story of Monaco's Royal Family .
Rumors surrounding Princess Charlene's long stay in South Africa after suffering a medical crisis is yet another page of this family's unbelievable history.Or, if you haven't been seen for awhile, a glut of speculation about where you are—and why.