Schools have faced an onslaught of cyberattacks since the pandemic disrupted education five years ago. An in-depth investigation by The 74’s Mark Keierleber into more than 300 K-12 attacks reveals the degree to which school leaders in virtually every state shroud these events in secrecy and repeatedly provide false assurances to students, parents and staff about the security of their sensitive information.
Such obfuscation isn’t accidental.
Almost immediately after an attack, districts hire consultants and lawyers to steer “privileged investigations,” keeping key details hidden from the public. Mark’s Kept in the Dark investigation breaks through that calculated front, delivering the most comprehensive reporting to date on the school cyberattack crisis in the U.S. and revealing for the first time the unseen apparatus made up of insurance executives, data privacy lawyers and consultants, who take over the response. These individuals shield their actions — and districts’ potential legal liability — behind attorney-client privilege.
The result: Students, families and staff whose personal data was published online – from their financial and medical information to traumatic events in young people’s lives – are left clueless about their exposure and risks to identity theft, fraud and online exploitation.
In more than two dozen cases, Mark’s investigation revealed, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, such as special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed.
Even after the hackers followed through on threats and made student and teacher information public, school officials would often refuse to admit to even basic details about an attack and its impact on the people whose interests and well-being they are supposed to protect.
Similarly, Mark uncovered instances where school officials quietly agreed in closed-door meetings to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems, never telling the public.
Mark spent more than a year investigating the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks. He installed security upgrades to a MacBook to use exclusively on the dark web, where he tracked school attacks across hundreds of international cybercrime gangs. He used Python and other data analysis techniques to sift through millions of sensitive files uploaded to dark web leak sites to expose their detrimental impact on students and teachers.
GovSpend procurement records were used to identify the law firms, ransomware negotiators and other consultants hired to run district responses. Mark was able to uncover what actually transpired in individual attacks through emails and other documents obtained through public records requests to some two dozen school districts and by scouring state data breach notices, which repeatedly revealed discrepancies between what school officials told the public early on and what they disclosed to regulators after extensive delays.
Mark’s reporting was supported by a $10,000 grant from the Fund for Investigative Journalism and Kept in the Dark was co-published by WIRED.
