By Thomas P. Caldwell, InDepthNH.org
As cybersecurity attacks have become more widespread, towns, cities, and school districts are finding that the measures they were taking to prevent data breaches have fallen short of what is needed to prevent data theft, fraudulent money transfers, and wholesale takeovers of their computer systems.
A computer hack in Peterborough last year robbed the town of $2.3 million when criminals posing as officials with the ConVal School District and Franklin-based contractor Beck & Bellucci sent emails to the town seeking vendor payments. Unsuspecting municipal employees paid the invoices, which went into the accounts of the hackers.
Peterborough Town Administrator Nicole MacStay said that, upon discovering the error, the town immediately filed a claim with Primex — the Public Risk Management Exchange that provides pooled insurance coverage to municipalities, schools, and counties — as well as with Beazley InfoSec, which provides additional cybersecurity coverage.
“Both companies have been very responsive” as the town worked through the loss coverage process, MacStay said. The town collected $125,000, the policy limit for the coverage the town held.
The U.S. Secret Service worked with the three banks involved in the thefts and initially recovered about $600,000 of the money intended for Beck & Bellucci, with another $3,500 recovered later.
As for the rest, MacStay said, “The Town maintains a significant unrestricted fund balance that can be drawn on in emergency situations such as this by first going through a public hearing process.”
That money typically is used to help stabilize the tax rate, but by using two-thirds of the fund balance to cover the hacking losses, the town will not be forced to cut services. However, Peterborough now will be looking to rebuild its fund balance.
Meanwhile, the town has caught up on its payments to ConVal and it repaid the amount due to Beck & Bellucci.
Asked about other cyber attacks in the state, Mike Ricker, general counsel to Primex, said, “Because we are a risk pool handling claims and lawsuits for our members, we have a statutory privilege that makes our claims management information confidential and exempt from disclosure. Most of our claims and cases also involve attorney-client and work product privileges.
“Without prejudice to those protections, we are willing to share some limited information regarding cyber claims from New Hampshire local government entities,” he said.
Primex saw an increase in cybersecurity claims from four in 2019 to 14 in 2020, and there were 24 claims as of October 2021.
“Cyber claims, in general, have become more numerous, complicated, and costly,” Ricker said, noting that coverage of cyber liabilities and losses have separate sections that deal with specific cyber risks. Each section has its own limit or sub-limit of coverage.
“The available limits and scope of cyber coverage have been impacted by a hardening of the insurance and reinsurance markets, resulting primarily from global cyber losses,” Ricker said. “Coverages for breach of privacy claims and damage to computer equipment remain strong. Coverages regarding cyber ransom and loss of funds from deception have been substantially reduced by the insurance markets. Some cyber insurance carriers have receded from the public sector altogether; others have lowered limits or imposed performance metrics for insureds to qualify for coverage.”
He said that Primex cyber coverage, reflecting the broader market, also has seen a reduction in coverage limits for ransom payments and theft by deception.
To help communities deal with the new realities, Primex offers training and consultation to help mitigate cyber risk.
“Training is essential to preparedness,” Ricker said. “While insurance is also an important part of an overall cyber protection plan, good cyber security depends mostly on investments in necessary technology and infrastructure, human awareness and diligence, and developing organizational programs, policies, and processes that prioritize cyber risk mitigation.”
School Challenges
Pam McLeod, director of technology for the Concord School District, agrees that investments in technology and staff training in how to avoid data loss are important, but she said that budget and staffing constraints make the task difficult.
“The days of getting a teacher a laptop and then waiting 10 years to replace it are long gone,” McLeod said. “We’re on a three- to four-year cycle for all of our devices so that we’re staying up to date. Everything, from our servers to out specific devices, we need to keep those on modern operating systems. That’s a big step to staying secure.”
The cost of doing so can be more than some of the smaller school districts feel they can afford, but McLeod says that failing to properly fund technology is dangerous.
“The districts that are doing that, I think they’re paying for it in the long run,” she said. “It’s a lot cheaper to do it up front than it is to do it on the back after you have an incident.”
McLeod, who also serves as a school board member in Alton and is on the executive board of the NH School Boards Association, said school districts have been facing cyber attacks for quite a while, but those attacks ramped up during the pandemic.
“I saw some articles online saying that K-12 was the number one target for cyber attacks,” she said. “And that’s obviously because they know that schools are scrambling to meet the needs of that pandemic.”
Home connections where there is no firewall and underfunded security measures in the schools make districts easy targets.
“There’s also the factor of people thinking that school data doesn’t matter,” McLeod said.
There are hacks such as the one in Peterborough, where criminals posed as employees to gain access to money, but McLeod said a far greater danger for schools is the mining of student information.
“The truth is that these cyber actors are going after kids’ data because students are easier to impersonate. So by building a profile on young kids over time, through attacks of different sources, it makes it easier to perform identity theft.”
The students may not be aware of the problem until, years later, they apply for credit.
“As I talk to parents and staff, I really encourage them to go online — the FTC has a whole portal about this — and freeze the child’s identity,” she said. “You can do a free credit freeze for adults and for kids.”
There have been direct attacks on school districts from hackers who do phishing attempts to charge EFT transactions. “So basically, when we’re making deposits to different vendors, they can attempt to change that information; and direct theft as well of bank accounts and things like that,” McLeod said.
Concord experienced a phishing attack in 2016 in which hackers obtained the social security numbers of all staff members.
“So obviously, we had security at that point, but we got more security at that point, and we’ve been just increasing it ever since,” she said.
The problem for teachers is that extra levels of security make their jobs more difficult. The solution is to find ways to make the security features less intrusive, such as not having to enter security codes as often while at school, but more frequently when working from home.
“A district like Concord, we’re very supported,” McLeod said. “We get what we need, but we have six people to manage everything in the district.” With 1,000 staff members and 5,000 students, and different devices roaming around the network, she describes it as a very lean operation. A comparable-size university would have 10 times the staffing for IT.
Other districts have more of a problem.
“You have this tiny little district which has a part-time technology person doing everything,” she said. “I was in that position in Alton for 10 years. I was their technology director in a K-8 school and I did everything, from instructional support to network security, and that’s just much more difficult.”
McLeod sees the need for county- or statewide collaboration, similar to what the NH Society for Technology in Education offers. She is a co-founder of that nonprofit, bringing together volunteers “to improve education through the use of information technologies.” The volunteers provide assistance to people with less experience in technology or whose school districts do not have as many resources.
“There’s a number of us that tried to be very generous with our time,” she said, “and it would be great to have more resources at the state level or some kind of regional networks to really help schools in this.”
A recent state law created through House Bill 1612 required school districts to protect staff and student data, but provided no money to do so.
“The law had pretty significant requirements of the districts, that needed to be implemented very quickly, and we all scrambled,” McLeod said, crediting former Information Security Officer Daniel Dister with providing valuable assistance. “He was a fantastic resource for schools. He recommended a group of minimum standards for security.”
One of the outcomes was the NH Student Data Privacy Alliance that currently includes 80 percent of the school districts in the state. “Last time I checked, we were the most active state in the country in terms of the number of vendors that we had onboarded into data privacy agreements,” McLeod said.
Those agreements require vendors to meet a set of 42 standards for the protection of the data they hold, both internally and with the school districts.
“For example,” McLeod said, “how their own wireless systems are set up inside their company — could somebody camp out in their parking lot and get to our data — that kind of thing.”
Today, the Alliance has about 1,000 vendors participating in data privacy agreements.
An issue they have not been able to solve is the turnover among technology staff.
“If you have some technology skills, there’s a whole lot of other industries out there where you can go and make more money, and now you can make a lot more money and still live in New Hampshire,” McLeod said, “so it is challenging for schools to staff and keep their technology staff.”
For now, she said, “we all just talk and help each other.”
T.P. Caldwell is a writer, editor, photographer, and videographer who formed and serves as project manager of the Liberty Independent Media Project. Contact him at liberty18@me.com.)