Online education vendor K12 hit with ransomware, pays ransom

A spokesperson for K12 told SearchSecurity that based on the current status of the investigation, the attack did not affect student devices or school networks.

Online education vendor K12 Inc. disclosed it suffered a ransomware attack and has paid the ransom to the attackers.

In a Monday press release, K12 (soon to be renamed Stride Inc. on Dec. 16) said it believes the threat actor accessed "certain parts" of their corporate back-office systems, which may have compromised "some student and employee information on those systems," but the investigation is ongoing. The incident is the latest in a string of ransomware attacks on education targets during the COVID-19 pandemic, which has led to many K-12 schools and higher education organizations to adopt remote learning.

"K12 Inc. ... has detected unauthorized activity on its network, which has since been confirmed as a criminal attack in the form of ransomware," the press release reads. "Upon identifying unusual system activity, we quickly initiated our response, taking steps to contain the threat and lock down impacted systems, notifying federal law enforcement authorities, and working with an industry-leading third-party forensics team to investigate and assist with the incident."

K12 said based on the current status of the investigation, it believes the company's "Learning Management System" education platform has not been affected, and delivery of online services to students has not been interrupted. When asked about whether they company has ruled out student devices or school networks being impacted as a result of the ransomware attack, a K12 spokesperson told SearchSecurity that "Based on our investigation to date, the attack did not affect student devices/computers or school networks."

The spokesperson also confirmed that K12 has paid the ransom; the company referenced a payment to the attackers in the press release.

"We carry insurance, including cyber insurance, which we believe to be commensurate with our size and the nature of our operations. We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed," the press release read.

As part of the company's response to the attack, K12 has built a team of data security compliance advisors. The team includes former United States Attorneys and state Attorneys General that have experience with handing cybercrime, as well as other technical advisors, and lists three members of the team: former U.S. Attorney for the Eastern District of Missouri Catherine Hanaway; former California state Attorney General William Lockyer; and former Wisconsin state Attorney General and former U.S. Attorney for the Western District of Wisconsin John Byron (J.B.) Van Hollen.

According to the press release, "The team will assist in guiding our efforts in response to this incident, including compliance with state and federal laws, continued cooperation with law enforcement, and communications with outside parties concerning the incident."

K12 also said its systems are operating with "minimal impact," and that "we do not believe the incident will have a material impact on our business, operations or financial results."

Financial impacts of ransomware attacks go beyond the ransom demands and can include costs for downtime, as well as remediation and recovery. A session during Gartner's Security & Risk Management Summit in September mentioned that in addition to a rapidly rising average ransomware payment ($178,254 in Q1 2020 versus $5,593 in Q3 2018), downtime costs following the attack can be five to 10 times the ransom amount.

This ransomware attack marks the second cybersecurity incident for the company in the last two years. In June 2019, an unsecured K12 database was discovered by security researcher Bob Diachenko; the database exposed nearly 7 million student records.

Cyber attacks on K-12 education targets have primarily been against school district networks rather than online education tools, platforms or vendors.

"School districts are quite immature with their cybersecurity risk management," said Doug Levin, founder and president of consultancy EdTech Strategies in Arlington, Va. "It's not something that historically they've had to pay attention to but that has changed in recent years, and school districts are relying often on vendors to provide these [online education] services."

But Levin cautioned that when an education vendor is compromised, it could potentially affect a "staggering" number of school districts.

Security news writer Arielle Waldman contributed to this report.

Dig Deeper on Threats and vulnerabilities