Criminals make student data public in escalating demands for ransom
In a world where everything is hackable and nothing off limits, cyber criminals are now targeting schools, stealing student data and holding it for ransom.
Last month, the U.S. Department of Education warned that hackers were targeting schools with weak cyber security and known vulnerabilities, threatening to release sensitive student information unless a ransom is paid.
"In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received," the warning said.
A dilemma on how to handle hackers
Steve Bradshaw, school superintendent in Columbia Falls, Montana, a quiet town nestled at the foot of Glacier National Park, said he received messages in September from an anonymous person who mentioned "splattering blood all over the hallways."
Bradshaw turned over the alarming messages to local law enforcement.
"The threats were mostly about killing children -- and graphic ways that they were going to kill the children," Columbia Falls Police Chief Clint Peters told NBC News.
When it was evident that the person or group sending the messages was after a ransom in exchange for not releasing student social security numbers, phone numbers and addresses, law enforcement officials began trying to negotiate with the cyber criminals over their demands.
RELATED: Cybersecurity tips
Particularly alarming was the discovery that the group had hacked the school's security cameras and could watch their every move.
After a rash of attacks across the country, the FBI is asking school districts to make cyber security a priority.
In Columbia Falls, Bradshaw's team met with families, consulted with the FBI, and ultimately made the decision to not pay the hackers.
That was followed by more threatening texts.
"It's about power and it's about fear," Bradshaw told NBC News. While he made the choice not to pay, he said he dreads the thought of the hackers dumping student information.
"Will they dump this information? Will they impact some child to the point that that child could be emotionally damaged for the rest of their life?" he said.
Why schools are easy targets
With many school districts across the country facing tight budgets, cyber security is often an after-thought, according to experts.
"Schools are vulnerable for a variety of reasons," said Shawn Henry, chief security officer of Crowdstrike and former assistant director of the FBI.
"First of all, their security is not always up to par and that's because they don't have a high budget in order to invest in security protocols," he said. "But they also have information that's of value and people want to protect children."
The Department of Education is encouraging schools to conduct security audits and to train staff on cyber security best practices, including how to avoid being targeted by social engineering schemes, such as fake emails that look real but, if clicked, can provide hackers access into the school's system.
Cyber security "needs to be a budget item every year," said Howard Marshall, a spokesman for the FBI. "At the end of the day, they are protecting the country's most important assest and resource - and that's our children."
But for now, parents like Amy Squires, the mother of a kindergarten student in Columbia Falls, are on edge about what the hackers' next move could be.
"Why is this happening to us?" she said. "A lot of us, as parents, are kind of wondering what's happening next."