Granite School District Data Breach Sparks Legislative Focus on Cybersecurity
In December 2023, Granite School District in Salt Lake City became the latest victim of a significant data breach, affecting approximately 450,000 current and former students. The incident has garnered the attention of the Utah Legislature, particularly the state’s School Security Task Force, which had previously advocated for legislation aimed at bolstering security measures in schools.
The Task Force was instrumental in passing House Bill 84 last year, legislation designed to enhance armed security within educational institutions, mandate the installation of emergency communication systems and panic buttons, and establish procedures for reporting safety threats. This law also connects the SafeUT Crisis Line with Utah’s broader intelligence framework. Rep. Ryan Wilcox, R-Ogden and chairman of the Task Force, emphasized the heightened monetary value of children’s data on illicit markets compared to adult data—surging four to six times higher—underscoring the necessity for robust safety measures.
Adding to the urgency of the situation, multiple school districts, including Salt Lake City, Weber, Cache, Duchesne County, Iron County, and Washington County, recently reported compromised student data due to a cyberattack targeting the widely-used PowerSchool online platform. In light of these developments, Wilcox indicated that cybersecurity would be a primary focus for the Task Force and Legislature in the coming year.
In a recent meeting, security experts from Fortinet, a California-based cybersecurity firm, informed the Task Force of effective strategies to safeguard sensitive data. Kevin Lopez, a major account manager at Fortinet and former IT director for Utah’s network infrastructure, stressed that cybersecurity is not merely about installing protective measures but cultivating a defensive mindset across all digital environments.
Lopez outlined several foundational security practices crucial for securing educational environments, including the implementation of multifactor authentication—an essential step that can reduce security risks by up to 99%. He elaborated on four key components to fortify system-wide defenses: the identities and devices of individual users, the systems controlled by school IT teams, the supply chain involving vendors providing cloud services, and the network connections enabling access to applications.
Lopez pointed out that many educational institutions rely on firewalls to secure their networks, which act as barriers between trusted internal and untrusted external networks. He also advocated for adopting “zero trust frameworks,” which limit access to essential applications based on individual needs, allowing IT teams to exert greater control over data access.
Conducting thorough risk assessments of IT systems is paramount, according to Lopez, to identify weaknesses that could be exploited by malicious actors. Should a breach occur, there are tools available to monitor compromised data, providing schools with insights into risks across both the public internet and dark web.
The suggestions presented to the Task Force signal a future where lawmakers may prioritize cybersecurity measures for educational institutions. Rep. Wilcox articulated the importance of establishing a structured approach to cybersecurity, promoting minimum standards to prevent vulnerabilities arising from oversights or insufficient planning.
This breach and subsequent legislative response highlight an escalating concern surrounding school cybersecurity and the crucial need for proactive measures in protecting sensitive educational data. The vulnerabilities exposed by these incidents signal a growing imperative for educational institutions to reassess and reinforce their cybersecurity strategies in alignment with established frameworks such as the MITRE ATT&CK Matrix, identifying tactics relevant to incidents of initial access, persistence, and privilege escalation.
