Minnesota school superintendents were the target this week of an e-mail “spear phishing” scam aimed at gathering financial information about their districts, which came disguised as an official message from Education Commissioner Brenda Cassellius.
Suspicious school administrators quickly alerted state cybersecurity experts, and state officials said no financial or personal information was compromised. But officials from both the Minnesota Department of Education and the state’s information technology agency say the attack is part of a broad and growing trend of cyber threats facing state and local government. State government agencies alone fend off about 3 million attempts to steal protected data each day.
“In the last few years, it has kind of exploded,” said Aaron Call, the state’s director of information security. “Gone are the days where computer hackers were looking to do something funny or novel. It’s become a for-profit business.”
Many of the hacking attempts originate overseas, but Call said they’re often tough to pinpoint.
Officials aren’t sure who impersonated Cassellius or what they might have been hoping to achieve. The initial e-mail didn’t appear to be well thought out; it was riddled with punctuation errors and asked for amounts in school districts’ general funds, which are already public information.
Josh Collins, a spokesman for the Department of Education, said nothing indicates the hackers were able to gather that information, or any private data about students or school employees. But he said it’s likely the culprits used publicly available information, like superintendents’ names and contact information, to target the scam.
Since the message may have gone to all 335 districts and 170 charter schools, Collins said it highlighted the potential far-reaching impact on schools of a more successful cyberattack.
“For us what it underlines is the importance of having staff we can rely on who are competent in this, and know how to respond,” he said.
In his two-year budget proposal, DFL Gov. Mark Dayton is seeking about $125 million in additional funding to help protect the state against online threats. That includes about $51 million to upgrade IT systems and $74 million to hire more cybersecurity employees, make the state’s data center more secure and buy more sophisticated software.