CCSD continues to investigate cybersecurity incident
The Clark County School District says it’s still investigating a cybersecurity incident that occurred this month, but it hasn’t released details on the cause or what information may be compromised.
The district announced Monday night that it was affected by a “cybersecurity incident impacting its email environment” that happened around Oct. 5.
In response, the district is temporarily limiting access to Google Workspace to within schools and administrative buildings. It also implemented a forced password change for students.
But a couple of teachers told the Las Vegas Review-Journal this week that some students couldn’t get access to change their passwords and that it has affected their ability to use class materials.
Rebecca Garcia, an administrator for the “CCSD Parents” Facebook group, said Wednesday that parents have been asking about the impact on due dates for student assignments if the assignments can’t be accessed from home.
“I think that there’s some frustration on all sides about how this is going to impact learning and activities,” she said.
The district might not be able to control the cyberattack, Garcia said. “It’s the reality we live in.”
But families are receiving “very limited” information from the district, she said. “I have been surprised that I have gotten no communication from my kids’ schools.”
In a message to employees Wednesday, the district said it continues to work to investigate the cybersecurity incident.
“At this time, CCSD employees and students can only access their District email accounts and associated Google Workspace while connected to the District internet,” the district wrote.
The district said it continues to work with schools to facilitate password changes for students and employees.
“While access is limited to Google Workspace, students can still access homework and assignments through Canvas,” according to the email. “Parents can continue to email CCSD staff, but for the time being, employees can only respond when on campus.”
The district released a copy of the message to the Review-Journal, but hasn’t responded to additional questions. That includes topics such as students not being able to reset passwords and the impact on Nevada Learning Academy, the district’s online school that has more than 4,500 students.
An announcement on Nevada Learning Academy’s website says that teachers will contact parents through Infinite Campus.
Parents will receive emails from each teacher with “assignments and learning opportunities” for students that can be completed outside of Clever and Canvas, according to the message.
“Please note that all previously due assignments will have extended deadlines,” the school wrote. “Attendance and grades will NOT be negatively impacted due to the nature of this situation. We look forward to returning to our normal day-to-day with our students, but until then we are here to support!”
Canvas is the district’s online learning management system. Infinite Campus is an information system and the version for parents allows them to get records, including their student’s grades. Clever is a portal where students log in to access the apps they use for school.
The Clark County Education Association teachers union hasn’t responded to two Review-Journal requests for comment this week.
School cybersecurity issues becoming more common
Nationwide, cybersecurity incidents involving school systems are becoming increasingly prevalent and significant, including in the number of individuals affected, said Doug Levin, director of the national nonprofit K12 Security Information eXchange.
The membership organization helps school systems across the country work to defend themselves against emerging cybersecurity risks. It also tracks publicly disclosed incidents and does research on trends.
In response to a Review-Journal question, Levin decline to say whether the Clark County School District is a member of the organization.
There are rumors of the Clark County School District’s cybersecurity incident potentially being a ransomware attack, Levin said, but added he hasn’t seen any confirmation from the district or other sources.
Many school systems across the country rely on Google for email and collaboration tools, Levin said.
In Clark County, the need to be on-site to reset passwords suggests that one or more user accounts were compromised and taken advantage of by a malicious actor, he said.
Nationwide, cybersecurity incidents can lead to classes being canceled, Levin said, and the short-term costs of responding to an incident or recovering data can be significant.
It usually means bringing in forensic experts, he said, and recommendations about how to avoid becoming a victim in the future can be extensive and expensive to implement.
He said it sounded like a ransomware attack that affected the district in 2020 had a minor impact on operations.
Levin said about this cybersecurity incident: “I hope that they were able to detect this quickly.”
If this incident involved malicious hackers external to the school district, there are criminal groups operating largely overseas — including in Russia — that are systematically targeting school systems largely as a way to steal money or things of financial value, Levin said.
The personal information of minors is more valuable than that of adults, he said, adding that children have clean credit records that aren’t being monitored.
There have been cases across the country where students as young as first graders were affected, Levin said.
He said some school systems have paid hundreds of thousands of dollars — if not more — to pay ransoms.
Once a school system has become a victim of a cyberattack — and it’s a question of when, not if — “you’re really between a rock and a hard place,” Levin said. “No choice is a good choice.”
Levin said he doesn’t know which defenses the Clark County School District has in place. But he said many organizations rely on multifactor authentication — such as entering a code sent to a user’s cell phone in addition to a password — to protect against these types of attacks.
For those who may have been affected by the Clark County incident, Levin said the prudent thing to do is to presume their information was breached.
If anyone uses the same username or password for school accounts as they do for their personal social media or bank accounts, they should also change those passwords, he said.
And it’s prudent to not just monitor credit, but to freeze their credit, Levin said, noting parents can also do this for their children.
Another thing to watch out for is that former students and staff may also be affected, Levin said. “It’s not unusual for historical data to also be exposed.”
In Clark County, which currently has nearly 300,000 students and approximately 40,000 employees, that’s “an awful lot of people,” he said.
‘Incredibly sloppy’ passwords
Garcia said she’s not surprised at all that the cybersecurity incident happened because the way passwords are handled for Google accounts for schools has “always been incredibly sloppy.”
She said that at one school all student passwords were reset to the same thing during the COVID-19 pandemic and were used for an extended period of time.
“It seemed like there were not a lot of safety protocols in place with student passwords to ensure that there was a higher level of security,” Garcia said, “so that something like this would be harder to make happen.”
Parent Anna Binder — who has four children in the district — said Thursday that with a breach of this magnitude, the district isn’t normally forthcoming about the totality of the damage.
As a parent, Binder said she’s more concerned about her children’s information and the potential for identity theft.
Binder said her high school senior — who is in a graphic design program — was panicking about not being able to access online assignments but has been getting a little more time to complete work.
A couple of Binder’s children reported they didn’t encounter problems with logging in at school, she said.
And she said her second grader enjoys being able to work on a classroom whiteboard instead of on electronic devices.
Contact Julie Wootton-Greener at jgreener@reviewjournal.com or 702-387-2921. Follow @julieswootton on X.