Hackers, being an ever-inventive group, have found a new target to go after.
According to the U.S. Department of Education, a new cyberthreat is targeting school districts across the country with an extortion attempt that warns educators to pay them — or risk the school’s private records going up on the public web.
“In some cases, this has included threats of violence, shaming or bullying the children unless payment is received,” the department wrote in an advisory this week.
So far, the attack has been seen in three U.S. states.
Law enforcement says they believe the threats are empty — and that attackers, more likely than not, are from outside the United States.
“We feel this is important to allow our community to understand that the threats were not real and were simply a tactic used by the cyber extortionists to facilitate their demand for money,” the Flathead County Sheriff’s Office said in a Facebook post last month.
All schools have refused to pay the ransom — at least one continues to receive threats. In the Johnson Community School District in Iowa, hackers also sent threatening text messages to children and their parents.
The hacking group, known as Dark Overlord, previously attempted to extort Netflix last year by threatening to release “Orange Is The New Black” early. Netflix balked, and the episodes were released.
Why Dark Overlord began targeting schools is a bit of a mystery — but a representative of the hacking group noted they are “escalating the intensity of our strategy in response to the FBI’s persistence in persuading clients away from us.”
The Department of Education also notes that Dark Overlord is picking districts “with weak data security or well-known vulnerabilities that enable the attackers to gain access to sensitive data.”
It advises districts to conduct security audits and patch vulnerable systems and train staff on data security best practices. But, according to Mary Kavaney, the chief operating officer of the Global Cyber Alliance, school environments often don’t have a lot of technology resources dedicated to security, or a lot of expertise. They do, however, have a lot of sensitive information in their hands.
“If bad actors can access student [personal data], that information can be exploited for the purpose of fraud and committing crimes for years before it is detected,” Kavaney says. “It’s often only upon application for a job — or application for financial aid to attend college — that students find out that their Social Security number has been used fraudulently. They may have poor credit due to false applications against their history, or worse, find that crime has been committed in their name.”