Budget Cuts Could Expose Student Data to Cyber Threats

When hackers hit a school district, they can expose student data like Social Security numbers, home addresses, and even disability and disciplinary records. Now, cybersecurity advocates warn that the Trump administration’s budget and personnel cuts, along with rule changes, are stripping away key defenses that schools need. “Cyberattacks on schools are escalating and just when we need federal support the most, it’s being pulled away,” said Keith Krueger, chief executive officer of the Consortium for School Networking, an association of technology officials in K-12 schools.

The stakes are high. Schools are a top target in ransomware attacks, and cyber criminals have sometimes succeeded in shutting down whole school districts. The largest such incident occurred in December 2024, when hackers stole personal student and teacher data from PowerSchool, a company that runs student information systems and stores report cards. The theft included data from more than 60 million students and almost 10 million teachers. PowerSchool paid an undisclosed ransom, but the criminals didn’t stop. Now, in a second round of extortion, the same cyber criminals are demanding ransoms from school districts.

The federal government has been stepping up efforts to help schools, particularly since a 2022 cyber attack on the Los Angeles Unified School District, the nation’s second largest. But now this urgently needed assistance is under threat. Of chief concern is a cybersecurity service known as MS-ISAC, which stands for Multi-State Information Sharing and Analysis Center. It warns more than 5,700 schools around the country that have signed up for the service about malware and other threats and recommends security patches. This technical service is free to schools, but is funded by an annual congressional appropriation of $27 million through the Cybersecurity and Infrastructure Security Agency (CISA), an agency within the Department of Homeland Security.

On March 6, the Trump administration announced a $10 million funding cut as part of broader budget and staffing cuts throughout CISA. That was ultimately negotiated down to $8.3 million, but the service still lost more than half of its remaining $15.7 budget for the year. The non-profit organization that runs it, the Center for Internet Security, is currently digging into its reserves to keep it operating. But those funds are expected to run out in the coming weeks, and it is unclear how the service will continue operating without charging user fees to schools.

“Many districts don’t have the budget or resources to do this themselves, so not having access to the no cost services we offer is a big issue,” said Kelly Lynch Wyland, a spokeswoman for the Center for Internet Security.

Another concern is the effective disbanding of the Government Coordinating Council, which helps schools address ransomware attacks and other threats through policy advice, including how to respond to ransom requests, whom to inform when an attack happens and good practices for preventing attacks. This coordinating council was formed only a year ago by the Department of Education and CISA. It brings together 13 non-profit school organizations representing superintendents, state education leaders, technology officers and others. The council met frequently after the PowerSchool data breach to share information.

Now, amid the second round of extortions, school leaders have not been able to meet because of a change in rules governing open meetings. The group was originally exempt from meeting publicly because it was discussing critical infrastructure threats, but the Department of Homeland Security, under the Trump administration, reinstated open meeting rules for certain advisory committees, including this one. That makes it difficult to speak frankly about efforts to thwart criminal activity.

Some federal programs to help schools with cybersecurity and protecting student data are still running. The Federal Communications Commission launched a $200 million pilot program to support cybersecurity efforts by schools and libraries. FEMA funds cybersecurity for state and local governments, which includes public schools. Through these funds, schools can obtain phishing training and malware detection. With budget battles ahead, however, many educators fear these programs could also be cut.

Perhaps the biggest risk is the end to the entire E-Rate program that helps schools pay for the internet access. The Supreme Court is slated to decide this term on whether the funding structure is an unconstitutional tax. “If that money goes away, they’re going to have to pull money from somewhere,” said Smith of the Student Data Privacy Consortium. “They’re going to try to preserve teaching and learning, as they should. Cybersecurity budgets are things that are probably more likely to get cut. It’s taken a long time to get to the point where we see privacy and cybersecurity as critical pieces,” Smith said. “I would hate for us to go back a few years and not be giving them the attention they should.”

Allison Green
Boston Tutoring Services