CONCORD, N.H. — In April, it happened to the Nashua School District. In June, an attack hit the Lebanon public schools.
The FBI said that cybersecurity attacks are on the rise and schools are particularly vulnerable. In 2022, there were over 1,400 reports totaling losses of $29.3 million in New Hampshire, almost twice the amount lost in 2021. The actual losses are likely much higher, as experts say many victims — including school districts — are reluctant to report it.
“If someone broke into a classroom and stole all their computers and switches and other technology, law enforcement would be notified and that would be on the front page,” said Richard Rossi, New Hampshire’s cybersecurity adviser. “But when we have a cyberattack of the same magnitude, that’s often swept under the rug.”
Cybersecurity experts said fear of getting fired or facing scrutiny could prevent school district employees from speaking out.
“The actual number of cybersecurity attacks is likely significantly higher than what’s publicly reported because schools and other victims of cyber attacks fear the consequences of reporting cybersecurity incidents,” said U.S. Senator Maggie Hassan during a Senate Homeland Security subcommittee meeting Monday at Saint Anselm Institute of Politics in Goffstown.
Rossi and other cybersecurity experts are urging school districts to take proactive steps to prevent a breach and to report cybersecurity crimes when they do happen. Efforts also are underway to spend new state and federal funding on cybersecurity.
The impact of an attack on a school can be disruptive and traumatizing for students whose sensitive data can be exposed, and costly for the school district. Students can lose anywhere from three days to three weeks in learning time, according to a 2022 report from the Government Accountability Office. It often costs school districts more than $1 million to bring in outside cybersecurity experts, restore computers and networks, and secure their system after a breach, according to Pamela McLeod, who founded the New Hampshire Chief Technology Officers Council and the New Hampshire Student Privacy Alliance.
McLeod was working for the Concord School District when it was breached in 2016. The data privacy of all staff members was compromised after attackers obtained W-2 forms.
“It’s just devastating,” she said. “It really takes all of the district’s time and resources to handle an attack like that for a period of two to four weeks.”
In Nashua, officials said the district was hit by a sophisticated attack in late April, but school officials weren’t immediately sure whether sensitive information had been compromised. In a June 18 email obtained by the Globe, Superintendent Mario Andrade told families and staff that an investigation into the attack remained ongoing, and that the district was working to restore impacted systems and ensure security moving forward.
“Although we are unaware of any actual or attempted misuse of any personal information because of the cyberattack, we recommend that individuals remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanations of benefits and monitoring free credit reports for suspicious activity,” Andrade wrote.
He said if the investigation found sensitive information had been impacted, affected individuals would be notified directly. Andrade did not respond to a request for comment on this story.
In Lebanon, the school district was hit by a ransomware attack that included a demand letter in June, the Valley News reported, although school officials said they did not find evidence that personal information had been acquired or misused. Superintendent Amy Allen did not return a request for comment on this story.
Timothy Benitez, the U.S. Secret Service agent in charge of the Manchester office, said it’s common for attacks to come in waves like this. In some cases, reporting can lead to positive outcomes, like recovering stolen funds.
In 2021, $2.3 million in school funds was stolen from the town of Peterborough. Benitez said his team was able to recuperate around $600,000 — an outcome that was only possible because the town reported the incident. He said many of these crimes are committed by transnational criminal organizations and are only possible to resolve if there’s cooperation among law enforcement in other countries.
This year, the state has received $2.5 million in federal funds for the State and Local Cybersecurity Grant Program that Hassan created as a part of the Bipartisan Infrastructure Law, with the possibility of receiving around $10 million more in the next four years. Including the state’s match, that could mean $16.6 million for cybersecurity initiatives in New Hampshire.
Around 80 percent of that money will go to local governments, including school districts, according to the state’s cybersecurity plan.
Denis Goulet, commissioner of the N.H. Department of Information Technology, said three programs are already underway. First, the state is spending $1 million distributing hardware tokens, which are physical keys school districts can use for multifactor authentication, a security measure that makes it harder for a computer to get hacked.
Secondly, the state is spending $1 million to move school and municipal websites to the .gov domain, which includes additional security features.
“It’s verifiable. It’s not easy to spoof,” said Ken Weeks, the chief information security officer for the state of New Hampshire. Weeks noted that according to the New Hampshire Municipal Association, only 26 percent of eligible entities were actually using the domain.
The state has allocated $100,000 for a security training course that local government IT employees can attend for free.
Jason Sgro has launched a new nonprofit called the Overwatch Foundation in New Hampshire to help schools and municipalities build stronger cybersecurity defenses. Sgro is also a senior partner at the Atom Group, a cybersecurity consultancy based in Portsmouth that has worked with New Hampshire municipalities, including Peterborough.
And on Monday, Sgro said, 26 school administrators attended a cybersecurity workshop facilitated by his organization, headquartered in Concord.
“Schools are by far the softest target,” he said. “There, the computer to staff ratio is much higher.”
While a business might have 30 to 50 employees for one IT professional, a school’s ratio is much higher, with one IT professional supporting anywhere from several hundred to several thousand students, each of whom uses their own laptop, Sgro said. Schools are also attractive to criminals because they are writing lots of paychecks, and have trusted relationships with vendors that bill over email, giving criminal opportunities to spoof emails and redirect payments.
The good news is there are ways to protect against this — like requiring multiple steps before payment information can be modified — and many people working to make New Hampshire more secure.
“This is a responsibility that rests with each and every one of us, to get more and more aware of the danger of cyberattacks,” Hassan said.