Dancers perform a fancy shawl dance

Dancers perform a fancy shawl dance to open the general session of the Montana Conference of Education Leadership at the Alberta Bair Theater on Thursday.

Overseas hackers scan millions of computers every day looking for weaknesses, and one day, the Columbia Falls School District lost the lottery. 

A hacking group known as The Dark Overlord cracked into the school's secure system and spent several weeks gathering and analyzing data about students in the district, including gaining access to the school's security cameras.

In September, the group unleashed a series of violent threats targeting students, parents and school staffers via media as personal as text messages to private cellphones. The group's final goal was getting school districts to pay a ransom in exchange for the group not spewing its confidential data across the website. Schools haven't paid.

It could happen at any school district in Montana, warned Kalispell Schools IT director Rich Lawrence. The attack, branded "cyber terrorism," was the first of its kind in the U.S., but it appears to have been the beginning of a trend. The U.S. Department of Education issued a national warning to schools Wednesday, citing recent incidents in three different states. 

"We have to be right 100 percent of the time," Lawrence said. "They only have to be right once."

Lawrence spoke to school officials at the Montana Conference on Educational Leadership on Thursday in Billings. 

Kalispell and other Flathead Valley schools were dragged into the hack because of information about students who had transferred between school districts. In all, at least 30 public and private schools were closed for up to three days, and after-school events were canceled. 

In the wake of the Columbia Falls hack, Billings Public Schools superintendent Terry Bouck other district officials met with Billings Police Department Chief Rich St. John to discuss reactions to a potential hack and threats. 

"Without getting too specific, our first course of action will be to communicate with the Billings Police Department," Bouck wrote in an email to district trustees. "Many times, the FBI will get involved, but it is helpful to have the Billings Police be our first point of contact. With this information and other sources of information we will create a more formalized plan to go into our Emergency Crisis Procedure manual."

Billings public schools IT director Kyle Brucker also spoke with FBI officials about the cyber attacks. He said the conversation centered on basic security topics and that he was confident in the district's cyber security measures.  

A district like Billings has the resources to employ tech experts, Lawrence said, but many smaller districts can't afford to do so. That can make them more vulnerable to data breaches, from within and without.

Different attacks

Student data is far more than grades. School computer systems can contain information like social security numbers and medical information of students and employment-related information for staffers.

School districts have long faced attempts to steal data and infect computers with malicious software, and many breaches begin internally. 

An especially popular tactic is to use specifically targeted phishing emails. They may contain personal information that lends authenticity to a phony email, or target administrators with seemingly relevant topics. The attempts can be alarmingly convincing. 

"We actually have seen this at (Kalispell) as well," Lawrence said.

Bigfork Schools suffered a data breach in 2016 when a staffer went to what appeared to be a legitimate website but ended up inadvertantly downloading malicious software. The school's data was encrypted, making it inaccessible. Hackers demanded a ransom to unencrypt it. 

That hack rattled officials in Kalispell, and the district upped it's cyberinsurance coverage from $250,000 to $1 million.

"None of our staff would ever do anything knowingly to breach our data," said Lawrence. "But mistakes are made."

Kalispell trains employees about how to avoid data breaches, and instituted a policy requiring employees to change their passwords after a set amount of time, which can be shorter or longer depending on the sensitivity of data that staffers have access to. 

"We had a lot of moaning and groaning when we put that into effect," Lawrence said. "Since the Columbia Falls incident, we haven't heard a peep."

Small schools, which often rely on administrators and teachers to fill multiple roles and likely can't afford to employ a tech expert, are especially at risk, Lawrence said. Being remote and rural isn't a defense against hacking. And educators typically aren't tech experts.

"The culture of leaving a password on your desk" doesn't cut it anymore, Lawrence said. 

Lawrence, who also is the president of the Montana Education Technologists Association, said the group is working to connect more regional tech experts with small schools to help shore up cyber security. 

Columbia Falls

Flathead Valley authorities contacted the FBI about two days after threats began, once they realized the group was not local. Lawrence said experts from the CIA and NSA also became involved in investigating the hack.

"These were world-class people," Lawrence said. 

At one point, unsuccessful raids were conducted in London attempting to locate hackers, Lawrence said. But hackers use programs that cycle rapidly through IP addresses, which can show where someone is connecting to the internet, masking their location.

"They actually kicked down a couple of doors," Lawrence said. 

Some information used in threats was pulled from personal social media accounts of parents. Authorities determined the violent threats circulating through communities weren't credible, and schools reopened. 

Schools have long faced local threats of violence that have shut doors and stirred fears, and the rare school shooting lends credence to those fears. 

But with cyber threats comes an increased scope and reach, and the prospect of stolen data creates real problems like identity theft. The day after the Columbia Falls threats began, Kalispell was targeted by more than one million port scans, which can be used by attackers to exploit vulnerabilities.

Lawrence is hoping that schools become more aware of security measures. 

"What can we make positive out of this?" he said.

Subscribe to Daily Headlines

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.


Education Reporter

Education reporter for the Billings Gazette.