Lack of oversight raises questions about how cyber attacks are prevented at Middle Tennessee schools

Published: Aug. 8, 2022 at 6:36 PM CDT
Email This Link
Share on Pinterest
Share on LinkedIn

NASHVILLE, Tenn. (WSMV) - After Austin Peay State University fell victim to a cyber attack back in the spring, WSMV4 Investigators wanted to know what’s being done to protect students and staff as everyone heads back to school.

But as investigative reporter Lindsay Bramson found out, there’s no oversight when it comes to cyber attacks in Tennessee schools.

As a parent of a high school senior, Sean Root is constantly explaining to his daughter the importance of not over sharing on the internet.

“Somebody hacked her Instagram this year,” Root said. “She was freaking out.”

But whether its through social media, gaming systems, or even their school accounts, the threat to students personal information is real, especially inside schools.

“We’re a prime target. We have brand new data that students who aren’t even available to vote yet — it’s gonna be available to people to sell,” said John Teeter, director of enterprise network operations at Metro Schools.

In a video posted on the website of the company providing cybersecurity technology for the district, Teeter explains just how serious cyber crimes against schools can be. And FBI agent Kevin Varpness says cyber attacks on K-12 schools are happening everywhere, including in Middle Tennessee.

“Schools can definitely be doing more to protect information,” Varpness said.

WSMV Investigates did some digging and found out the state doesn’t require districts report cyber attacks when they happen.

“Do you think districts should have to report to the state when cyber attacks occur,” Bramson asked Root.

“I think they should have to report to the state and the parents,” Root said. “Unfortunately, they’re not reporting to anybody when things happen.”

In a statement, the Tennessee Department of Education said school districts are not required to report cyber events to the department.

“Each district has its own reporting policy and guidelines,” the education department said.

And because there isn’t a law, state or federal, requiring schools to keep track, the Government Accountability Office (GAO) wants to make changes — issuing a report last year urging the federal Department of Education to update its security plan, which hasn’t been touched in more than a decade.

Not only has technology come a long way since 2010, but the GAO report says the aging plan also means schools don’t have access to federal programs that could help protect students vital information that if leaked could help a cyber criminal steal your child’s identity before they even get their first credit card.

“If they have the one password to your school account, they probably have the password to your email, Facebook, Twitter, everything else,” Varpness said. “People can do lots of damage with that.”

Parents like Root say they want schools to be held more accountable before personal information like his daughter’s social security number or home address get into the wrong hands.

“I know there’s always a step where you could go further and do more,” Root said.

WSMV4 reached out to nearly a dozen school districts in Middle Tennessee to find out just how many cyber attacks they’ve had in recent years.

Here are the responses from the school districts:

Metro Schools

We have not had experienced any ransomware attacks to date. Most of the “cyber-attacks” experienced by the district are in the form of phishing scams attempting to get users to enter in personally identifiable information. We have a reporting system in our email system, and we have added protections in the form of link redirects that route any email links through malware and phishing detection systems. Our cyber security division periodically runs phishing tests and require staff to undergo training if they fail to detect the potential scam. We also have various other security controls in place like DDoS protections in place to prevent network crashes. Except for the aforementioned phishing scams where individual users may have provided their own information, we have not had any information compromised through cyber-attacks.

Franklin Special School District

In response to your questions, the FSSD has had no cyber or ransomware attacks in the past two years. In the event it should ever occur, our schools would report it to our Technology Department, which would evaluate the attack to determine if any data was compromised. Depending on the type/severity of attack, the Technology Department would work alongside the Director of Schools to notify the appropriate law enforcement agency/agencies. Thanks for your interest in the Franklin Special School District.

Rutherford County Schools

I checked with our IT department. We have had some phishing situations but they’ve all been minor occurrences. Out IT department does not track the number of cases. We also now use two-factor authentication (where a code is sent to your phone, for example, during login), which is another layer of security that limits these types of scams.

Cheatham County Schools

In the last 2 years, the Cheatham County School District has not had any reported ransomware attacks to the best of our knowledge. Any incidents that we have had in the past would have been outside of the 2-year threshold and it was to individual devices where no sensitive information was breached, and all documents/files were able to be recovered. This information was shared with the TBI. We have an email filter that notifies us of an impersonation attempt and blocks the email. It allows us to release the email upon investigation.

Robertson County Schools

We've not had any successful cyber-attacks on our system and don't have a record of attempts. Beyond our firewalls and filters, we prefer not to comment on our preventive measures.

Dickson County Schools

Dickson County Schools is following industry protocols and standards and continues to review best practices as well as monitoring current cyber-security events and trends.

Williamson County School District

Williamson County Schools has not had any successful compromises in our district over the last two years. WCS uses a multi-faceted approach to cybersecurity that covers all aspects of our network. Our IT staff constantly monitors cyber activity and reacts, as necessary. We have also implemented ongoing cybersecurity training modules targeted at educating our staff on such topics as phishing, safe web browsing, password security and more. In the event of a large-scale cybersecurity event, WCS will invoke our disaster recovery plan and contact the appropriate law enforcement agencies such as the Williamson County Sheriff’s Department and the FBI.

Clarksville-Montgomery School System

The reality is CMCSS, like all school systems and organizations that utilize technology, is constantly under the threat of a variety of cyber-attacks. The CMCSS Technology Department is continuously focused on preventing any breach of our networks and systems and has implemented numerous strategies, systems, and services to combat cyber-attacks. Phishing and malware continue to be some of the most common cyber-security threats, and CMCSS has implemented policies, procedures, and training to protect students, employees, and the District. There have been no breaches in the past several years, and CMCSS has greatly improved its cyber-security efforts sincethe data breach 10 years ago.

Wilson County School District

We have had zero ransomware attacks happen in the last 2 years. We have phishing scams happen on a fairly regular basis, but we cut out 99% of those through our email security solution. The main issues happen when staff is careless when opening attachments and forms. They have been known to give personal identifiers such as password, phone numbers, employee numbers, etc. Oftentimes you did not see anything come as a result of this for days, weeks, or months, but when it hits, there will likely be several others that enter in their information, and then it starts over.

While we would prefer to refrain from revealing precise protocol when this has been recognized (for added safety measures) we do have several backup measures in place to ensure that we are safe for mission critical applications.

School administration know to contact us, and we will ensure that everything is handled correctly.

Copyright 2022 WSMV. All rights reserved.