How to Cover School Data Breaches
Using the fifth-largest school district as a case study, learn what to ask when reporting on the fallout of a data breach.
Photo credit: James Minichello of AASA for EWA
In 2023, hackers infiltrated the Clark County School District, which encompasses Las Vegas and surrounding Southern Nevada, exposing the personal data of students in the country’s fifth-largest school district.
It took nearly two weeks for the district to notify families of the October 2023 breach. Reports estimate between 200,000 to 300,000 district students had their personal data leaked online. The Nevada Independent reporter Rocío Hernández was on the case from the beginning.
The district tried to dodge responsibility, she said, calling the attack an “incident,” among other things.
Hernández spoke to fellow reporters during a session at the Education Writers Association’s 2024 National Seminar in Las Vegas last May. Moderated by The 74’s Kathy Moore, the panel also included Bill Fitzgerald, a former teacher and privacy researcher who runs Global Cyber Alliance.
“It took a couple of weeks for the district to officially acknowledge the hackers had access to online grading books,” Hernández said, listing one example of data the cyber criminals were able to access.
Here’s what reporters should know to better cover data breaches in their school districts.
How Cyber Criminals Are Targeting School Districts
Clark County is hardly alone when it comes to school system hacks. (Though the Southern Nevada school district’s decision to use students’ birth dates as passwords must rank among the top of the list of most vulnerable security ideas.) Minneapolis Public Schools in Minnesota had 30 years’ worth of student and staff data compromised (myself included) in 2023, as well.
As Hernández wrote, the password system was an all too easy entry for hackers. The cyber criminals “said they were able to use social media and posts in an online forum going back to 2016 to figure out the password configuration used by the district.”
“If personal data were a car, they left the keys in the ignition,” one of the lawyers representing parents in the class-action lawsuit said.
In June, a judge denied the Clark County district’s attempt to have the case dismissed. So families will see another day in court in which the district must answer.
“There’s no confirmation from the district [on] or how many people have been affected, how many people have been notified and what process they are using,” Hernández said.
Kathy Moore, the executive editor at education outlet The 74, offered her perspective on the district’s handling of the hack.
“The instinct by the district to obscure what happened, a lack of transparency, leaves victims in the dark,” Moore said.
After the cyberattack in Clark County, the district “had to go completely pen and paper,” Hernández said. This is a significant shift of resources for any school district, which raises additional questions about securing gradebooks and backup plans for similar technological failures.
Bill Fitzgerald explained how districts can better protect students and advocate for parents.
“[Schools] should publish a list of all the tools being used by the district with links to the privacy policies,” he said.
That way, parents can check any phishing email or text against the third-party software their children actually use in class.
Moore asked Fitzgerald what advice he’d offer to families and students to safeguard their data. But Fitzgerald rejects that premise of the question.
“That places the onus for action on those who have the least say. I want to see districts give that advice to themselves and follow it,” he said.
Reporting on School Cyberattacks Everywhere
The speakers offered reporters advice — both on protecting themselves and questioning school districts in the wake of a cyberattack.
Journalists should:
- Speak to those affected (students, staff, employees, former students, etc.).
- Ask for the types of data compromised (address, social security numbers, academic information, special education files, etc.).
- Request a list of third-party vendors that have student information.
- Ask districts for third-party vendor licensing agreements.
- Be cautious when investigating online, including downloading files from unknown sources.
To determine the extent of a data breach, Moore suggested reporters ask about any special education plans and assessments, sexual assault complaints, student discipline and other personal school records that go beyond name, address and social security number.
“There’s a whole ‘nother level of harm here that I think we’re just beginning to understand,” Moore said.
Fitzgerald encouraged reporters to proactively ask their school districts and state legislatures what protections are in place for student data, including where responsibility lies in user agreements. These agreements are sometimes signed by districts and other times by teachers or parents.
Fitzgerald said parents and their students may have freed software companies from liability with a simple click on an “I Agree” button found after lengthy user agreements that many people skim. Parents are trapped between agreeing to a laundry list of concessions and their child being able to participate in class with said software applications.
“When this happens, it’s a multi-varied failure of the adults who were actually supposed to be responsible here,” Fitzgerald said. “What you are hearing is the result of the district’s liability insurance, crisis communications, lawyers coming up with a set of watered down milquetoast points.”
He said reporters must dig deeper, especially into the third-party vendors school systems use. This includes examining any agreements the district has made with those vendors, which could hold the companies harmless in a cyberattack. If school districts made the agreements, they should be responsible for the fallout of a data breach, he said.
Reporters must immediately ask the district for details — including what information was compromised and how many individuals were affected.
“That initial statement you get [is] not designed to be factual or informational,” Fitzgerald said. “It’s designed to let [school districts] get away with it.”
Reporters must also protect themselves while investigating, Fitzgerald said. He cautioned against downloading files from unknown sources, entering personal information into unknown sites and visiting sites associated with the cyber criminals.
Investigating hackers can subject a reporter’s computer and company’s network to data mining, he said
“Don’t go looking — you’ll compromise your own system,” he said
