Ransomware Surge Targets K-12 Schools: A Growing Threat to Education In early 2023, two vastly different school districts Tucson Unified (Arizona) and Nantucket Public Schools (Massachusetts) fell victim to ransomware attacks within a day of each other. Tucson, one of Arizona’s largest districts with 42,000 students, suffered a data breach exposing personally identifiable information, while Nantucket’s attack forced school closures. These incidents highlight a troubling trend: ransomware attacks on K-12 schools have surged by 393% since 2016, with 325 attacks recorded between April 2016 and November 2022, followed by 85 more through October 2023. ### Why Schools Are Under Attack K-12 institutions are prime targets due to their valuable data student records, Social Security numbers, financial details and weak cybersecurity defenses. Many districts lack dedicated cybersecurity staff, with two-thirds operating without a full-time expert in 2023. Only 12% allocate any budget for cybersecurity, leaving them vulnerable to increasingly sophisticated attacks, including dual extortion tactics where hackers encrypt data and threaten to leak it. The U.S. Department of Homeland Security attributes the rise in attacks to budget constraints, fragmented response protocols, and criminals’ success in extorting payments. Schools also rely on an average of 2,739 ed-tech tools, expanding potential entry points for attackers. ### The Cost of Ransomware The financial and operational toll is severe. A 2024 report found that 62% of affected schools pay ransoms, averaging $7.5 million per incident. Even without paying, recovery costs hit $3.76 million double the 2023 figure. Downtime from attacks disrupts learning, with schools losing an average of 12.6 days in 2023, costing $548,185 per day. Beyond finances, attacks erode trust. Some districts delay public disclosure, as seen in Broward County (Florida), which waited five months to notify victims of a 2021 breach. Others face lawsuits, like Clark County School District (Nevada), accused of negligence after a 2023 attack exposed sensitive data. ### How Schools Are Fighting Back Efforts to strengthen defenses are gaining momentum. Key measures include: - Multifactor authentication and free CISA tools, such as protective DNS services. - State-level support, like Georgia’s $1 million cybersecurity platform for all districts. - Federal coordination, including a new Government Coordinating Council to share best practices. However, challenges remain. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), set to take effect in 2026, will mandate reporting for districts with over 1,000 students, but no dedicated federal funding exists for K-12 cybersecurity. As Doug Levin of K12 Security Information eXchange (K12 SIX) warns, the question isn’t if an attack will happen but when. With schools increasingly in the crosshairs, the stakes for protecting student data and operational continuity have never been higher.

Broward County Public Schools in Florida fell prey to a ransomware attack. The computer systems of the school was hacked and district data was encrypted. The attackers demanded $40 million in ransom while the school negotiated to pay $500,000.