September 7, 2022

Covering COVID-19 is a daily Poynter briefing of story ideas about the coronavirus and other timely topics for journalists, written by senior faculty Al Tompkins. Sign up here to have it delivered to your inbox every weekday morning.

The Los Angeles Unified School system awoke this week to a cyberattack that is being described as a ransomware attack. The FBI and Department of Homeland Security are involved in the investigation.

The system serves 600,000 students in a thousand schools.

Schools have been a ripe target for cybercriminals. The Los Angeles Times listed other cyberattacks aimed at school systems, some seeking ransoms and some to just cause mayhem:

A notable local attack targeted the Newhall school system in 2020.

In May, the Chicago public school system announced that a massive data breach exposed four years’ worth of records of nearly 500,000 students and just under 60,000 employees.

The attack targeted a company that stored teacher evaluations and basic student information — including dates of birth — but no financial records or Social Security numbers, according to the school system.

A separate recent cyberattack, targeted a company, Illuminate Education, whose clients include L.A. Unified, and whose services, according to its website, reach “more than 17 million students” in 5,200 schools and school districts.

Near Dallas, hackers hit the Mansfield Independent School District’s computer system, which had just been loaded with teacher’s resources, student info, grades and email. A couple of weeks ago, just outside of Pittsburgh, a hacker tapped into the Moon Township school system’s computer network.

The sheer number of cyberattacks that happen daily around the globe is mind-boggling. Just in August, one firm said it identified 112 publicly disclosed security incidents “resulting in 97,456,345 compromised records.” (See the list.)

Education Week explains why schools are a tempting target for hackers:

K-12 schools make tempting targets, in large part, because they have loads of data. And in most cases these days, nearly every computer system that stores data—from gradebooks to door locks to salary information—relies on some sort of online network that is capable of being hacked.

To complicate matters, districts became much more reliant on technology during the pandemic, when they handed out millions of digital devices for remote learning, set up WiFi hotspots around their communities for students to access, and dramatically increased their use of online programs and apps for instruction.

Those changes have opened the doors much wider for hackers to infiltrate districts’ computer networks. And all it takes is for one teacher, student, or parent to click on a phishing email created by a cybercriminal and a ransomware attack could be underway.

Increasingly, education and technology companies that work with K-12 schools are also being targeted. In January of 2022, roughly 5,000 schools and colleges saw their websites go dark when a ransomware attack targeted Finalsite, a private company that provides webhosting and other communications services.

And back in 2017, hackers sent personalized texts to parents in Iowa and other states threatening their children, the Des Moines Register reported.

The school systems sometimes pay the hackers. Education Week notes:

In 2021, hackers demanded $40 million from Florida’s Broward County School District, later lowering their price to $10 million. After the district offered to pay a smaller sum, the hackers published nearly 26,000 stolen files, according to the South Florida Sun Sentinel.

Experts say they have evidence that paying attackers encourages more attacks. TechTarget reports:

For the second consecutive year, research from Cybereason showed that nearly 80% of organizations that paid a ransom suffered repeat ransomware attacks.

Despite government warnings, law enforcement alerts and previous reports showing that paying a ransom perpetuates the ransomware as a service (RaaS) model, many organizations continue to pay threat actors to decrypt data. While Cybereason’s new research, released at RSA Conference 2022 Tuesday, showed that nearly 80% of victims that paid suffered a second attack, that data point becomes even more alarming down the line.

Of the more than 1,400 cybersecurity professionals who participated in Cybereason’s 2022 “Ransomware: The True Cost to Business” global study, nearly half said their organizations paid the second ransom demand, and 9% said they paid a third time.

Of the 80% of organizations that paid a ransom and suffered a second attack, Cybereason found that the same threat actors committed the attacks. Companies were often unable to recover from the first attack before the next occurred, getting hit at the worst possible moment; the study stated that 68% of organizations were hit a second time within a month.

“Adding insult to injury, more than two-thirds of those subsequent attacks demanded a higher ransom than the initial attack, and nearly 6-out-of-10 organizations were unable to recover all of their systems and data even after paying the ransom,” the report said.

Cyber Security Dive quotes from the State of Ransomware 2022 report from Sophos:

  • Ransomware hit 66% of mid-sized organizations last year, up from 37% in 2020. Average ransom payments reached $812,000 during 2021, compared with $170,000 the prior year.
  • Among organizations with encrypted data, 46% paid a ransom to adversaries. In addition, 26% of organizations who were able to restore data from backups, still decided to pay a ransom.
  • One in 10 organizations are paying $1 million or more in ransoms, compared with only 4% in 2020, according to the report.
  • The highest average ransom payments were in manufacturing at $2.04 million, as well as energy and utilities at $2.03 million. The lowest average ransom payments were in healthcare at $197,000 and state/local governments at $214,000.

In 2021, WFAA explored two dozen cyberattacks on Texas school systems. The report found that, on average, one school system is attacked in America every week. The WFAA report found:

Local school leaders are already under pressure from pandemic learning losses and strained budgets. Now, they are finding themselves victims of this new cyber threat to their staffs’ and students’ sensitive data, requiring them to manage how to inform the public, and whether to pay a ransom to criminals.

Judson, for example,ultimately paid $547,000 out of school funds to the hackers – the largest known ransom paid by any school district in the country.


Other school districts contacted by WFAA declined on-camera interviews to discuss details of their ransomware attacks.

“These bad actors are very good at what they do,” said State Rep. Giovanni Capriglione, chair of the Texas House Innovation and Technology Caucus. “In some of these cases, you’re literally going against the nation-state.”

JDSupra reports:

According to Emsisoft, the education sector continues to experience ransomware attacks, with a whopping 1,043 schools affected by ransomware in 2021. This statistic breaks down to 62 school districts and 26 colleges and universities.

Emsisoft estimates that data of employees and students were stolen in at least half of those attacks in 2021.

Why experts have reason to hope there will be no fall COVID-19 surge

At a Food and Drug Administration briefing last week, the agency’s top vaccine expert, Peter Marks, said the organization is “looking at a possible fall wave, with a peak around Dec. 1.”

That would depend on whether there is a new variant that shows up — say, this month — that spreads far and wide enough to cause a wave as significant as omicron in the summer of 2022. It seems that few experts believe we will eliminate the virus, but we may be able to disrupt it enough that it does not stop us all in our tracks, as it has done before.

Experts point to a few reasons to believe that we may not have an autumn COVID-19 surge, but nothing is certain about the coronavirus’ trajectory over the coming months, except that the virus will keep looking for ways to stay active. We now have two COVID-19 booster shots that are formulated to protect against the omicron variants. But how much protection that vaccine provides won’t be known for months. The other reason for hope is that so many people have been infected in the last few months that some level of immunity that will arise from that this fall.

The Washington Post reports:

Coronavirus scenarios from multiple research teams, shared in recent weeks with federal officials, foresee stable or declining hospitalizations in early fall. The scenarios show the possibility of a late-fall surge. A new variant remains the biggest wild card. But several factors — including the approval this week of reformulated boosters and the buildup of immunity against the latest strain of the virus — could suppress some of the cold-season spread, experts say.

“There’s sort of even odds that we would have some sort of moderate resurgence in the fall. But nothing appears to be projecting anything like an omicron wave,” said Justin Lessler, a University of North Carolina epidemiologist who helps lead the collection of covid-19 planning scenarios from a group of research organizations.

The FDA says the best chance we have to control a fall outbreak is for at least as many people to get the omicron booster as get the seasonal flu shot, which is about half of the eligible population. When we control the number of people who get infected, we slow the spread of the virus. We have learned over the last couple of years that a vaccine cannot stop the virus, but it dramatically lowers the chance of serious illness and death.

Keep an eye on the Centers for Disease Control and Prevention’s new Center for Forecasting and Outbreak Analytics, which thinks of itself as the National Weather Service of disease. This newly formed group will attempt to forecast the likelihood of future outbreaks.

Our summer of viruses: Is climate change part of the reason?

The Washington Post notes:

A third year of the coronavirus, driven by a more contagious variant. Global outbreaks of monkeypox and a mysterious hepatitis afflicting previously healthy children. Polio virus found in the sewage systems in London and New York. And polio diagnosed in patients in Jerusalem and Rockland County where Chak works, a region of more than 300,000 people just north of New York City.

Here are some other passages from the Post’s report:

In many respects, the viral invasion is no accident. A warming climate, vanishing forests and global travel have accelerated the spread of pathogens from animals to people, as well as among people in different parts of the world.

Climate change is also driving the risk of infectious diseases. Writing last month in the journal Nature Climate Change, researchers reported that 58 percent of the 375 infectious diseases they examined “have been at some point aggravated by climatic hazards.” Only 16 percent of the diseases had at times diminished because of climate change.

The human population has doubled in the past 50 years to almost 8 billion, fueling the expansion of megacities and demand for land on which to build homes and raise crops and animals. The global land transformation has led to the annual loss of almost 25 million acres of forest, eroding a traditional border between the human and animal worlds, according to the United Nations.

And, the CDC report notes, when humans live closer to animals, there is a greater chance of cross-species infection. The CDC says, “Six out of every 10 infectious diseases in people are zoonotic.”

It is flu shot time

This weekend I will go in for my annual flu shot. The CDC is urging people to get their flu shot at the same time they get their COVID-19 shot. It says that its studies show that when you get both shots at the same time, you get the same protection as if you take them on separate occasions, and recommends that you get one shot in one shoulder and the other in the other.

If they have the new booster, I will get them together. I figure that if I have a sore arm and feel a little run down, I might as well do it up right.

Generally, the experts say, September through October is the best time to get a flu shot so it has time to stimulate immunity before the heavy flu season, which usually arrives in late November.

Monkeypox cases declining in NYC, DC and beyond

I alerted you when cases rose, so I need to close the circle with this update that monkeypox cases in New York City and Washington, D.C., are dropping.

ABC News reports:

Monkeypox cases appear to be on the decline in the epicenter of the country’s outbreak.

Data from the New York City Department of Health & Mental Hygiene shows that as of Aug. 30, the latest date for which data is available, the Big Apple recorded a seven-day rolling average of 9 infections.

That’s an 82% decline from the seven-day rolling average of 50 recorded two weeks ago.

Even as the U.S. approaches 20,000 total infections, nationwide trends appear to show a drop, according to data from the Centers for Disease Control and Prevention.

As of Aug. 31, the seven-day rolling average of cases in the U.S. sits at 281, the lowest number recorded since July 25, according to an ABC News analysis of CDC data.

Big banks relax COVID rules and call people back to the office

Reuters reports that several big banks are calling workers back to their offices starting this week after allowing them to work from home during outbreak surges. Reuters says that Morgan Stanley “informed its New York metropolitan staff in a memo that it will discontinue all COVID testing and monitoring requirements from Sept. 5.”

JP Morgan rolled back its policy of requiring new hires to be vaccinated, while Citigroup “has dropped its regular testing and mask requirements in line with the U.S. official guidance and expects a majority of employees to be in office at least three days per week, a person familiar with the matter told Reuters. Citi is maintaining its mandatory vaccination requirement for U.S. workers.”

Reuters reports that Royal Bank of Canada CEO Dave McKay told staff in a memo, “As we move into the fall, I’m asking our leaders and colleagues to come together more often in person.”

It will be interesting to see if the final quarter of this year is the beginning of the end of the work-at-home movement or whether it is the end of the beginning of a great experiment that is here to stay.

I have talked with so many news executives who say they struggle to find ways to build a cohesive workplace with a big chunk of workers joining in remotely. Many newsroom leaders mention the loss of newsroom culture that normally comes from informal and unscheduled face-to-face encounters with colleagues. If your newsroom has come up with remote working ideas that others should hear about, drop me a note.

We’ll be back tomorrow with a new edition of Covering COVID-19. Are you subscribed? Sign up here to get it delivered right to your inbox.

Support high-integrity, independent journalism that serves democracy. Make a gift to Poynter today. The Poynter Institute is a nonpartisan, nonprofit organization, and your gift helps us make good journalism better.
Al Tompkins is one of America's most requested broadcast journalism and multimedia teachers and coaches. After nearly 30 years working as a reporter, photojournalist, producer,…
Al Tompkins

More News

Back to News