SANTA FE, N.M. – When the superintendent of Albuquerque Public Schools announced earlier this week a cyber attack would lead to the cancellation of classes for around 75,000 students, he noted that the district’s technology department had been fending off attacks “for the last few weeks.”
Albuquerque is not alone, as five school districts in the state have suffered major cyber attacks in the past two years, including one district that's still wrestling with a cyber attack that hit just after Christmas.
But it's the first reporting a cyber attack that required cancellation of classes, all the more disruptive as schools try to keep in-person learning going during the pandemic.
“If it seems I’ve come into your homes a lot in the past couple of years to share difficult news, you’re right. And here I am again,” Superintendent Scott Elder said in a video address Thursday. “We find ourselves facing yet another challenge.”
The closures, on Thursday and Friday, affect approximately one in five New Mexico schoolchildren, in what is the country’s 35th largest school district by enrollment, according to 2019 data from the National Center for Education Statistics. The district was one of the last in the state to reopen last year as vaccines became available.
The small town of Truth or Consequences discovered a cyber attack on Dec. 28, and still hasn't gained control of its computer systems.
“We’re not out of the woods yet,” said Mike Torres, the information technology director of the school system in Truth or Consequences, a small town in central New Mexico.
The attack has not been previously reported. It came when students were on vacation, allowing time to make contingency plans before students returned. Torres says that while the attack “made computer systems unavailable,” disruption has been minimal.
That wasn’t the case in Albuquerque, where teachers discovered Wednesday morning that they were locked out of the student information database that tracks attendance, records emergency contacts for students, and tracks which adults are allowed to pick up which students at the end of the school day.
In 2019, Las Cruces Public Schools also suffered an attack on their student information database, after a phishing attack lured one or more employees to click a malicious link in an email months before, recalls Matt Dawkins, that district’s information technology director.
After lurking and scoping out the district’s system, a hacker or hackers carried out ransomware attack. Data on many school computers, starting with the student database, was locked up in an encryption. A ransom was demanded in exchange for the key.
“It’s kind of like when your house gets robbed you know? That feeling of being violated,” said Dawkins, in an interview Thursday, as his school went under lockdown due to an unrelated police call a mile away.
The school didn’t pay the ransom, and eventually found a way to reset its data systems to the state they were in the day before the attack. But it required months of hands on work, and extra expenses for temporary Wi-Fi hotspots, and some new computers. Insurance covered much of the cost of the attack.
In the past two years, at least four other New Mexico schools have been hit by costly cyber attacks, according Patrick Sandoval, interim director of the New Mexico Public School Insurance Authority, which insures all districts in New Mexico except for Albuquerque.
Targets across the U.S. in 2021 included universities, hospitals, and a major fuel pipeline. Data on the number of attacks and their cost are difficult to track, but the FBI's 2020 annual report on cyber attacks said around $4.1 billion in damages was reported by institutions across the country that year.
Dawkins added if Albuquerque faces a ransomware situation, which hasn’t been confirmed, it might face a more complex attack. Instead of holding information hostage, ransomware attacks now threaten to sell data to the highest bidder online. So the student data in Albuquerque might not just be locked up, Dawkins said, but at risk of being shared with identity thieves and other bad actors.
Albuquerque Public Schools hasn’t said if the cyber attack they face is a ransomware attack, only that their student information database was “compromised,” and that it's working with law enforcement and contractors to limit the damage.
Whatever the cause, they face a similar problem as Las Cruces faced in the days following the attack.
The database used to track attendance and other students was out of commission. It also realized that laptops needed to be quarantined and taken out of service, forcing teachers to work offline.
“Immediately our instructional department pivoted with pen and paper, you know, kind of old fashioned sort of teaching so our print shop was printing materials. Teachers were able to adapt very quickly,” Dawkins said.
Albuquerque Public School officials have not elaborate on the decision to close schools, and didn't respond to requests Thursday about why a paper system was not possible.
The decision to continue classes in Las Cruces came at a cost. Dawkins said that it probably took longer to get the school’s thousands of computers wiped and reset while teachers and administrators were working normal hours, and they had to live without technology for weeks and weeks.
In January 2020, the district’s computers were running again and in good time, too — the pandemic forced teachers and students into remote learning just a few months later.
This version corrects the first name of the information technology director in Truth or Consequences to Mike, not Mark.
Attanasio is a corps member for the Associated Press/Report for America Statehouse News Initiative. Report for America is a nonprofit national service program that places journalists in local newsrooms to report on under-covered issues. Follow Attanasio on Twitter.