International cyber criminals have successfully targeted Merced County schools, compromising internal data and forcing some districts to pay a hefty price to get those attacks resolved.
Steve Tietjen, the county’s superintendent of schools, said a total of six Merced County school districts have been victims of cyber criminals in the last three years.
In some cases, cyber criminals threatened to leak compromised data to the public unless they were paid.
“These attacks are driven by people from outside our country,” Tietjen said. “These are not just domestic hackers looking for an easy payday. These are international criminals that are attacking our school systems.”’
Most of those incidents involved ransomware, a malicious software used by criminals to encrypt files and hold information or data hostage until payment is made in exchange.
While Tietjen didn’t say whether any of the local districts paid ransoms, he said the combined cost to resolve the issues associated with the attacks approached $1 million.
“Our districts have done the right thing. They have contacted the FBI, they contacted local law enforcement, they are working with law enforcement when they are attacked, however they still have to resolve the issue. And so they had to do what they needed to do to resolve it,” Tietjen said.
Tietjen, whose Merced County Office of Education supports 20 local K-12 school districts, acknowledged compromised data included student and personnel files, plus historical legal documents.
Most of the incidents happened after employees clicked on emails that looked legitimate, but were actually sent by hackers. Other incidents happened after employees clicked on pop ups that were also ploys to steal data.
Last month during the presentation of MCOE’s annual education report, Tietjen also acknowledged his agency's subsequent efforts to prevent cyberattacks. “I know that we had some (attacks) here in Merced County, but we’ve brought resources into play, doing trainings on an ongoing basis to make sure that our teaching staff know not to click on those links,” Tietjen said.
Frequency of attacks nationwide
Such attacks against government agencies aren’t rare. According to cybersecurity firm Emsisoft, at least108 K-12 districts were impacted by ransomware attacks in 2023, more than double the 45 that were impacted in 2022. The impacted school districts had a total of 1,899 schools between them and at least 77 of the 108 had data stolen, the report said. Post secondary schools suffered 72 ransomware attacks in 2023.
Nationwide in 2022, ransomware attacks impacted 44 school districts operating 1,981 schools, 44 universities and colleges, 106 local governments and 25 health providers operating 290 hospitals.
Brett Callow, a threat analyst for Emsisoft, said the adoption of data exfiltration – also referred to as “double extortion” – has been the biggest tactical shift he’s seen recently among cyber criminals.
“Basically, the hackers no longer only encrypt victims’ data, they steal a copy of it too, and threaten to release that copy online unless the victim pays,” Callow wrote in an email to CVJC.
“This obviously provides the hackers with additional leverage. Even if a victim is able to restore their systems using backups, they still have the problem of what to do about the stolen data.”
Around other parts of California, last year a payment of $1.1 million was made to resolve a ransomware attack against San Bernardino County’s law enforcement computer network, Southern California News Group reported.
In 2022, more than 2,000 student records were compromised and posted on the dark web in a cyberattack againstLos Angeles Unified School District, the Los Angeles Times reported.
Private entities are not immune. Last year the Philadelphia Inquirer, the third longest-serving U.S. newspaper, suffered a cyberattack that caused serious disruptionsto its operations, The Guardian reported.
Local incidents of data theft
Not much information has been released locally about the six Merced County K-12 school districts who were targeted. When asked, Tietjen would not comment on which specific local districts were hit.
School districts do have to report cyberattacks to the state, depending on the size of the incident.
Gov. Gavin Newsom signed Assembly Bill 2355 into into law in 2022, which mandates K-12 school districts report cyberattacks to the state’s Cyber Security Integration Center. Under state law, only those attacks impacting 500 or more students or employees must be reported.
State law also requires agencies to notify any California resident whose unencrypted personal information was acquired by an unauthorized person.
The California Attorney Generalkeeps an online listof notification letters sent to affected residents when there is a data breach or cyberattack impacting 500 people or more.
A data breach involving Merced City School District is included on the DOJ’s list. The district operates 14 elementary and four middle schools in the Merced area.
In August 2021, a burglar physically broke into a building managed by the Foundation for Medical Care of Merced County, a vendor that provided third party administration services for Merced City Schools’ medical and dental plans.
According to the foundation’s letter sent to impacted employees, the intruder punched a hole in the internal wall from an adjacent office suite.
An external backup drive was among the items taken by the thief. That drive had information from scanned paper claims that included patient names, healthcare identification numbers, addresses, dates of birth, procedure and diagnosis codes and claim charges.
Merced police were notified about the break-in, according to the letter, and additional security was added to the building.
Higher education institutions impacted
Colleges and universities have also been targeted by cyber criminals. Merced College suffered a massive cyberattack in 2022 that exposed names and addresses stored on the school’s network.
According to an email from James Leonard, Merced College spokesperson, the attack impacted a total of 48,079 people, most of whom were students. No arrests have been made in the case.
During the incident malware was used by an unauthorized person to access that network, encrypting some of its systems, according to the data breach notice sent to those who were affected.
The college immediately secured the network and launched an investigation. In a statement, the college said a forensic investigation confirmed the initial entry point as “an exploitation of an application found on a server in our virtualized environment.”
In the aftermath of the breach, the college took measures to enhance the security of its network environment.
The college arranged identity monitoring for those people affected by the breach at no cost through the breach response company IDX. Those identity theft services included 12 months of credit and CyberScan monitoring, a $1 million insurance reimbursement policy and fully managed identity theft recovery services, according to the data breach notice.
Additional steps taken by Merced College included implementing a district-wide security operations center.
According to the college’s statement, the school has also created new staff positions focused on cybersecurity, updated internal security policies and created additional training to identify phishing attempts and support network security best practices.
It’s still unclear whether cyberattacks have had a big impact on operations at UC Merced. Back in 2020, the University of California system was among 100 organizations targeted by an international cyberattack. The university system’s Accelion file transfer appliance was targeted,and in March 2021 the UC identified some of the system’s data had been posted on the internet.
The data included personal information for members of the UC community, including current and former employees and their dependents, retirees and beneficiaries and students and others.
Calls to the University Office of the President on the issue were not returned.
UC Merced officials haven’t elaborated on how many people may have been impacted by the Accelion FTA breach locally. Sam Yniguez, UC Merced’s director of public relations, told CVJC in a statement that cybersecurity remains a top priority for the campus.
“UC Merced continues to implement a comprehensive layered defense cybersecurity program that includes training of staff, faculty, and students to make them aware of how to protect themselves against cyber attacks,” Yniguez said.
“Cybersecurity is a team sport and UC Merced ensures that everyone plays their role in protecting their personal and organizational information and systems.”
Training key to prevention
In the meantime, officials at Merced County of Education say all of its employees are mandated to undergo mandatory annual cybersecurity training.
Tietjen said most of the county’s 20 K-12 school districts conduct similar training because of the gravity of the threat.
Nathan Quevedo, MCOE spokesperson, said the agency also regularly conducts mock “phishing” exercises, where bait emails are sent to employees to see whether anyone clicks on them.
Those who click on the bait email are reminded about the importance of cybersecurity. Quevedo said such exercises are opportunities to train, educate and empower employees.
Quevedo said the training is key because cyber criminals are always updating their tactics. He has seen examples where cyber criminals were able to clone emails and make them appear authentic.
MCOE also uses multi-factor authentication software for employee login purposes, as another deterrent and layer of security. Multi-factor authentication requires a user to present a combination of two or more credentials before logging into a computer network.
“If something seems off, pick up the phone and call someone, as opposed to just believing an email that looks suspicious,” Quevedo said.
When there is a ransomware or malicious software attack against a school district in Merced County, Quevedo said online services for that particular district must be turned off until the situation is resolved.
I do, however, think that the time has come for governments to seriously consider banning the payment of ransoms or, at least, significantly limiting the circumstances in which they can be paid.Brett Callow
Quevedo said 19 of Merced County’s 20 school districts get their high speed internet through MCOE.
“This threat will continue to exist and we need to make sure that not only that our students are trained but our staff are trained not to click on the bait that these folks are putting out,” Tietjen said.
Callow said the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has a list of resources aimed at helping schools and other public sector bodies prevent attacks.
“By adhering to best practices, especially in relation to the implementation of (multi-factor authentication, organizations can significantly reduce the likelihood that they’ll be the next victim,” Callow wrote to CVJC.
In terms of whether a government agency or organization should pay a ransom to hackers following a ransomware attack, Callow said the answer isn’t black or white – nor is it something everyone agrees on.
“My personal opinion is that it makes no sense at all for organizations to pay simply to obtain a pinky promise from the hackers that stolen data will be deleted. They’re criminals, and there’s no way to know whether they’ll do as they say, and we know that they sometimes do not,” Callow wrote.
On the other hand, if an organization’s data has been encrypted and their backups are not usable, Callow said they may have little choice but to pay.
“It’s either that, or permanently lose access to their data. I do, however, think that the time has come for governments to seriously consider banning the payment of ransoms or, at least, significantly limiting the circumstances in which they can be paid,” Callow wrote.
“Ransomware attacks happen for one reason: they’re massively profitable. Making them less profitable would mean fewer attacks.”
Victor Patton is editor-in-chief of The Merced FOCUS, a nonprofit newsroom based in Merced. Sign up for the Central Valley Journalism Collaborative's free Substack list here and follow CVJC on Facebook.