Another issue Henry found was in the way Polk County used Microsoft SharePoint platform, a collaboration and storage tool, to manage data. He noticed that students and teachers were lumped together in a Sharepoint “user group” and had all been granted the same access to files stored in the system. This meant that students could access anything on the Sharepoint, including each others’ data. One file was labeled as containing student usernames and passwords and was simply an unlocked, plaintext spreadsheet of student login credentials for school accounts.
Polk County Schools did not return a request for comment on Henry’s research. At the July 2019 meeting where Henry shared his findings, though, members of the school board appeared to support his work. “I’ve directed him multiple times to our IT staff,” Billy Townsend, the school board representative for Polk County’s District 1, said. “I think he’s done some very useful things, from what I understand. I think we should take seriously what he’s saying.”
Henry also found and reported similar vulnerabilities in the systems of two private Florida universities last year. He says that making all of these discoveries while he was still a student motivated him to pursue a career in ed-tech cybersecurity.
“When I took a look, there was so much that was vulnerable—just a stupid amount of vulnerability,” Henry says. “It doesn’t feel good. When you participate in a capture-the-flag hacker competition or do a cool bug bounty, it feels good to find stuff, but you see these flaws in education systems and there’s nothing to be proud of as a researcher. You changed a number or you just looked! I’m not some genius. It’s just very obvious that nobody else is looking.”
After some especially dramatic cyberattacks against schools in the fall, including multiple situations where districts had to cancel class because of ransomware attacks, researchers say that there started to be momentum toward making cybersecurity a priority in school systems around the country. But Doug Levin, founder of the consulting firm EdTech Strategies, which compiles data on K-12 cybersecurity incidents, says all of that ground to a halt when the Covid-19 pandemic hit.
“Suddenly everything shifted on a dime,” Levin says, recalling how schools raced to set up infrastructure for online learning en masse. “It went into that mode where everything is built with rubber bands and toothpicks. Get everyone working and learning remotely, distribute devices to students, connect to local printers, deal with forgotten passwords, whatever. People should be concerned about the technical decisions they were making. And even with a bit more time to plan for the fall, it’s all still very fluid.”
There’s no single, comprehensive source of reporting on K-12 digital security incidents in the US. Levin created the Cyber Incident Map to track as many publicly disclosed attacks as possible—compiled from legal disclosures, news reports, and research findings. But the tracker likely undercounts actual total incidents by a significant margin, since so many are kept under wraps and never go public.
In the past three months, Levin has been surprised to see a decrease in the number of public accounts of K-12 cyber attacks, though they’re certainly not gone altogether. It’s unclear if this actually represents a downtick in the number of incidents or whether other factors are at play. Levin also points out that there may be a new digital infection spike in the fall when students, teachers, and administrators physically go back to school and plug their devices into hardwired networks for the first time in months.
While the pandemic has fueled new exposures, it has also simply accelerated a digitization that was already in progress across K-12 education—a phenomenon seen in virtually every industry. Given the cracks that already existed in schools’ digital defenses, it’s more vital than ever to take precautions now.
More From WIRED on Covid-19