SEATTLE — The cyberthreat that shut down Highline Public Schools in September was a ransomware attack, district officials announced Thursday.
The district is working with the FBI to investigate the attack. Though it’s unclear if hackers accessed personal data, the district is offering a year’s worth of free credit monitoring service to staff members as a preventive measure, said Tove Tupper, the district’s spokesperson.
The district discovered suspicious activity during the first week of classes in September. After a few days of closure, students and staff returned, but they have been barred from using Wi-Fi or district-issued devices as the district tries to eliminate the threat.
Ransomware is software that blocks access to files or entire networks. Hackers will then demand money in exchange for the key.
The district did not disclose how much money the hackers demanded, citing an ongoing investigation.
Things might become more normal starting Oct. 14, when the district will begin reimaging devices. Students and staff must also change their passwords. Once those steps are complete, they’ll have access to the computers and systems that are now critical to the operation of schools in the modern era.
Some kind of timeline for restoring digital tools is a sure relief. While the return to analog methods in a digital age may seem quirky, it has undeniably disrupted Highline Public Schools. Teachers were abruptly cut off from their curriculum and students from their digital textbooks.
“Pretty weird” is how Jude Dooley, a senior at the district’s engineering-focused Raisbeck Aviation High School, put it.
For the past few weeks, teachers wheeled out projectors and handwritten lesson plans. All communication is done via landline telephones. Attendance is taken by hand and delivered daily to Highline school district headquarters. Students take notes and complete assignments on paper.
As school districts’ reliance on the internet has risen, so have cyberattacks. One school district gets hacked every day on average, said Doug Levin, director of K-12 Security Information eXchange, a nonprofit that helps school districts protect themselves from hackers.
Until the last two or three years, it was rare to see school systems shut down because of a cybersecurity threat, said Levin. Highline had to close schools for three days after the threat was discovered.
“It’s among the worst outcomes we have seen,” said Levin.
In January 2023, the Des Moines school district in Iowa closed for several days after a ransomware attack. It took about a month for the district to confirm that it was a ransomware attack. About six months after the attack, the district announced that the hackers had accessed the data of 6,700 people.
Levin said hackers know that getting hacked is expensive and time-consuming and often use it to their advantage to try to collect a ransom.
“It’s not easy. It’s not easy to perform work without internet access,” said Tupper, the Highline district spokesperson, who has been working off a cellphone hot spot.
Staff members at the district are trying to work around it. Where it was available, the district found and printed curriculum materials around schools, and principals were given hot spots so they could access critical student information like parent phone numbers. The weekly email newsletter sent to staff is now being printed on paper and distributed, too.
For teachers, it’s been a major pain point. The district hasn’t asked them to use their personal devices or take work home, but many see no other choice. Some are writing lesson plans and worksheets by hand and photocopying them. Others use their personal laptops at home to write materials and then bring their work on a thumb drive, which is the only way to print things at school.
“We redo everything,” said one high school teacher who asked not to be named.
Before the shutdown, teachers had already uploaded lesson plans and translated materials to the internet. But that work is now inaccessible, with no indication of when it might be restored, the teacher said. Teachers are re-creating lesson plans based on their memory of what they’ve taught and materials provided by the district.
“It certainly has been a tough 23 days for my educators, that’s for sure,” Highline’s teachers union President Jeb Binns wrote in an email. “The inability to access curriculum that largely went online after COVID is a struggle. The inability to access district-issued devices and use the internet further exacerbates the issue.”
Dooley, the Raisbeck student, said the shutdown has made everything a little more arduous. His computer aided design class, for example, has been confined to sketches on paper. Teachers would put reminders about assignments and quizzes on a central webpage that students no longer have access to. Without that, there’s been a little confusion.
After or during an attack, a district will usually bring in “good hackers” to try and boot the hacker, said Levin. That’s typically when internet-based systems have to be shut down.
Why? In many organizations, the systems are all connected to each other. So when a single component is compromised, everything must be shut down. One of K-12 Security Information eXchange’s recommendations for school districts is to segment systems to prevent that kind of disruption.
Other solutions include using two-factor authentication, hiring more IT staff and having an incident response plan.
These types of attacks often involve extortion. The hackers, sometimes based overseas, will try to negotiate for a ransom in exchange for not releasing vital data about students. Ten years ago, the demands were just for a few thousand dollars. Nowadays the ask can be millions, said Levin.
Even when districts don’t pay ransom, they spend millions trying to prevent another intrusion. Tupper said insurance is expected to cover most of the cost of responding to the attack. As for how much it will cost to buy added protection, there is no estimate yet.
“The best thing of all is not to be a victim, but once you are, you’re in a tough spot with not a lot of good choices,” said Levin. “I have no doubt this is a very challenging situation for them.”