A school district serving 42,000 students in suburban Dallas suspended all student-issued Chromebooks and shut down its internal network after a cyberattack compromised administrative systems, email servers, and learning management platforms. The attack, identified as a ransomware variant, encrypted files across 14 school campuses and the district’s central administrative office. Classes shifted to paper-based instruction while IT teams and federal investigators worked to restore systems. If you are a parent, teacher, or school administrator, this incident highlights how vulnerable educational institutions are to cyber threats and what your school district should do to prevent a similar disruption. Here is what happened, how the district responded, and what the incident reveals about cybersecurity in American public schools.

What Happened in the Attack

  • Ransomware encrypted files across 14 school campuses and the central district office in a coordinated attack launched at 2:17 a.m. on a Tuesday.
  • 18,000 student Chromebooks were suspended from the network as a containment measure within four hours of detection.
  • Email, grading systems, and the learning management platform were offline for six days before partial restoration.
  • The attackers demanded $2.3 million in Bitcoin, which the district declined to pay on the advice of the FBI.
  • No student data was confirmed exfiltrated as of the latest update, though the investigation continues.

How the Attack Unfolded

The initial compromise occurred through a phishing email sent to a district payroll administrator two weeks before the ransomware deployed. The email contained a link to a fake vendor invoice portal mirroring the district’s legitimate accounts payable system. The administrator entered their credentials, giving the attackers access to the district’s Microsoft 365 environment.

For 13 days, the attackers moved laterally through the network without detection. They accessed the Active Directory server, created additional administrator accounts, and mapped network shares across all 14 campuses. At 2:17 a.m. on the attack day, the ransomware executed simultaneously across all connected systems. By the time the district’s IT team received automated alerts at 2:45 a.m., the encryption was 60% complete. The team disconnected the network at 3:30 a.m., limiting the damage but not before critical systems were affected.

Why Schools Are Vulnerable

American public school districts operate with some of the smallest IT budgets relative to their data footprint. This district, with 42,000 students and 6,200 employees, has an annual IT budget of $3.8 million, including hardware, software, staffing, and network infrastructure. The cybersecurity allocation within the budget is $340,000 per year, roughly $8 per student. By comparison, the average mid-size corporation spends $1,200 to $1,800 per employee on cybersecurity annually.

The district employs three full-time IT security staff, responsible for protecting 22,000 devices, 180 servers, and network infrastructure spanning 16 buildings. The team lacks a dedicated security operations center (SOC), real-time threat monitoring, and incident response playbooks for ransomware scenarios. These gaps are common across American K-12 education, where the Consortium for School Networking reports 82% of districts have fewer than five dedicated cybersecurity personnel.

“Schools are sitting targets. They hold enormous amounts of sensitive student and employee data, they operate aging infrastructure, and they have fractions of the security budgets of comparably sized private organizations. Attackers know this.” , Tom Bossert, former Homeland Security Advisor and K-12 cybersecurity consultant

The District’s Response and Recovery

The superintendent declared a “technology emergency” the morning of the attack and activated the district’s crisis communication plan. Parents received robocalls and text messages by 6:30 a.m. explaining the situation and confirming schools would remain open with paper-based instruction. Teachers reverted to printed materials, whiteboard instruction, and physical homework collection for six days.

The FBI’s Dallas field office and the Cybersecurity and Infrastructure Security Agency (CISA) dispatched incident response teams within 24 hours. These teams assisted with forensic analysis, system recovery, and negotiation assessment. The district declined to pay the $2.3 million ransom, following FBI guidance that payment does not guarantee data recovery and funds criminal organizations. Recovery relied on backup systems stored in a geographically separate data center, though the backups were 11 days old because the backup schedule ran biweekly rather than daily.

Data Impact Assessment

The investigation found no evidence of data exfiltration at the time of the ransomware deployment. The attackers appeared focused on encryption and ransom rather than data theft. The district holds records including student names, addresses, Social Security numbers (for lunch program eligibility), medical records, disciplinary files, and IEP documents for students with disabilities. Employee records include payroll information, Social Security numbers, and tax documents.

As a precaution, the district offered 24 months of free identity monitoring services to all students and employees. Parents received notification letters explaining what data the district holds and how to freeze their child’s credit file as a protective measure.

Impact on Students and Learning

The six-day system outage disrupted instruction for 42,000 students during a testing preparation period. Teachers lost access to lesson plans stored on the LMS, grading records for the current marking period, and digital instructional materials. Special education staff lost access to Individualized Education Program (IEP) tracking systems, creating compliance concerns under federal IDEA requirements.

Students in Advanced Placement courses lost access to online review materials and practice exams three weeks before AP testing. The district worked with the College Board to arrange alternative access through personal devices on home networks. Teachers reported the transition to paper-based instruction was manageable for elementary grades but created significant disruption for high school courses dependent on lab software, digital design tools, and online research databases.

Mental Health and Student Anxiety

School counselors reported increased student anxiety during the outage, particularly among students concerned about whether their personal information was compromised. The district hosted four community town halls for parents to ask questions and receive updates from the IT team and FBI representatives. Attendance at these events totaled 3,200 parents across the four sessions.

What Other School Districts Should Do

This incident provides a case study for every school district in the country. Here are the specific steps your district should take based on lessons from this attack:

  • Implement daily backups stored in an isolated, air-gapped environment not accessible from the primary network.
  • Deploy multi-factor authentication (MFA) for all staff accounts, especially administrators with elevated privileges.
  • Conduct quarterly phishing simulations for all employees, with mandatory retraining for staff who click simulated phishing links.
  • Segment the network so a compromise on one campus does not grant access to all district systems.
  • Establish an incident response plan with defined roles, communication protocols, and relationships with FBI and CISA before an attack occurs.
  • Apply for federal cybersecurity grants through the FCC E-Rate program and CISA’s K-12 Cybersecurity Initiative, both providing dedicated education funding.

The Bigger Picture for K-12 Cybersecurity

Since 2020, recorded cyberattacks against U.S. school districts have risen 280%. Ransomware, data breaches, and denial-of-service attacks affect districts in every state. The K12 Security Information Exchange tracked 1,619 publicly disclosed incidents in 2025 alone. The federal government has responded with increased funding and guidance, but implementation moves slowly through state and district bureaucracies. CISA published updated cybersecurity guidelines for K-12 organizations in January 2026, including specific technical recommendations for network segmentation, identity management, and incident response planning.

For parents, the most important action is to ask your school district three questions: Does the district use multi-factor authentication? When was the last backup test? Does the district have a documented incident response plan? The answers tell you how prepared your schools are for the next attack. This Dallas-area district learned these lessons the hard way. Your district does not have to.