In early September 2021, the Dallas Independent School District — one of the nation’s largest, with 145,000 students and 22,000 employees in 230 schools — revealed that personal data from the past 11 years was hacked by a third party.
The cyber thief accessed the district’s network, downloaded data, and temporarily stored it in an encrypted cloud storage site. According to an Infosecurity Magazine report, “the district is still working out which data was exposed for each victim, students, employees and contractors between 2010 and the present were likely affected.” School officials say they do not yet know for certain whether the data, which included full names, addresses, phone and Social Security numbers (SSNs), dates of birth, and salary information for employees or contractors has migrated into other criminals’ hands or deployed in financial fraud schemes.
Although the third party has removed the data and claimed not to have disseminated the data or sold it to anyone, just the knowledge of the potential damage to the victims’ financial security is already done. Everyone in the Dallas school community personally could be disrupted in a way that could ripple far into the future, affecting eligibility for credit cards, loans and home mortgages.
And Dallas is just the tip of the education iceberg. At least 1,681 schools, colleges and universities were targeted in 84 cybersecurity incidents in 2020, according to Emsisoft, a New Zealand-based anti-malware company. Some of the larger school systems affected included Clark County Public Schools, Fairfax County Public Schools, and Baltimore County Public Schools. Colleges and universities included UCSF, MSU and the University of Utah.
How Do Scammers Get In? And How Do They Use Stolen Student Identities?
Scammers use a number of tactics to gain access to school data. Here are the four biggest threats to school communities:
- Phishing — Perhaps the most common ruse is a “phishing” attack —usually a phony email from what appears to be a trusted source. The email is cleverly designed to lure unsuspecting folks into clicking a link that gives the scammer access to the school district’s computers or network.
- Vishing/smishing/pharming — In a vishing attack directed at a school district, a scammer preys on human nature by phoning their victims and attempting to get them to reveal their personal information. The word “vishing” comes from “voice” and “phishing,” which suggests that a fraudster is dangling a hook or a lure to get unsuspecting school administrators to reveal usernames, passwords, or download malware onto their devices. The lexicon also includes SMiShing, which uses fraudulent text messaging, and pharming, which is phishing using fake websites without the email “hook.”
- Ransomware — A form of “malware,” ransomware is used to encrypt sensitive files held on school district’s computer devices, essentially locking users out of their own data or networks. Once deployed, the ransomware encryption restricts access to files and the victim receives a notice that a “ransom” must be paid to unlock the data or device. Access to data is supposed to be restored once the ransom is paid, but remember that these are criminals who don’t typically follow a moral code. (The FBI now advises ransomware victims never to pay.)
- Social media — Children often share personal details on social media with their school chums without a second thought. Fraudsters monitor social media platforms to build profiles of their victims and then use those profiles to create synthetic identities.
When cyberthieves steal names, SSNs, bank, and credit card information, they may attempt to use this information in several ways:
- When victimizing college students, scammers often use personally identifiable information (PII) to illegally obtain college debit cards that they then can deploy to get cash advances. Often, the amounts withdrawn are purposely kept low to throw off suspicion. Some fraudsters also use stolen data to set up mobile phone accounts or apply for personal loans.
- Underage children are a prime target for data-breach because fraudsters can take advantage of their PII for years before victims even realize they’ve been compromised. When the time comes to apply for student loans or credit cards, the victims may discover that loans or credit has already been extended to someone using their names, dates of birth, addresses, and SSNs — something any enterprising identity thief can accomplish by hacking a school district’s network.
- An identity thief can sell a child’s stolen SSN on the Dark Web to another criminal, who then can add a different name, birthdate, address, and phone number to start a fraudulent credit file. This is called synthetic identity theft and is it notoriously difficult to detect.
- One of the fastest-growing attacks on public and private schools is ransomware. University of California San Francisco (UCSF) paid just under $1.14 million in ransom, and the University of Utah paid nearly $500,000, according to news releases. The Emsisoft report noted that ransomware attacks spiked 388% between the second and third quarter of 2020, suggesting that the cybercriminals “intentionally delayed deploying ransomware until students had returned to schools and districts would be under more pressure to pay.”
Protecting Your Child from Back to School Scams
Children are 51 times more likely to be a victim of identity theft than adults, according to Carnegie Mellon University’s CyLab. Here are four steps that you can take to protect your family members’ PII against identity theft:
- Understand where your and your child’s PII is stored, particularly at schools, dentists, and medical offices; verify that their records are secure.
- Know how any PII you provide on school forms will be used and with whom it will be shared. Verify that these forms are updated and that it is indeed necessary to even provide PII about your child.
- Ask about the school’s directory information policy and what information about your child is included. You have the choice to opt out.
- Consider a credit freeze for minors, available from all three major credit bureaus, making it more difficult for a fraudster to open new accounts with a child’s PII.
Back-to-school is the right time to think about safeguarding students against identity theft. IdentityForce offers ChildWatch as an additional service available to any adult IdentityForce membership (for organizations that offer IdentityForce identity protection as a benefit to their employees, ChildWatch is free). And, for more comprehensive and proactive protection, consider IdentityForce for both Credit Monitoring + ID Theft Protection.
Discover More Real Identity Theft Stories Here