School (in)Security is our biweekly briefing on the latest school safety news, vetted by Mark Keierleber. Subscribe here.

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country’s second-largest school district — and the leak of thousands of highly sensitive student mental health records — that set me off.

Published reports that the breach exposed students’ psychological evaluations, Carvalho said, were “absolutely incorrect.” The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday in partnership with WIRED and supported by a grant from the Fund for Investigative Journalism.

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers — the real victims of the hacks and subsequent data breaches — in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials — sometimes even after their students’ and employees’ personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks — and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools’ messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer “privileged investigations,” which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: “For institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won’t want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from The 74’s Kathy Moore.

And Matilda.

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter