The dark web is flooded with personal information about American children, and experts say it’s hard to stop

Without bank passwords, without having a credit score, the dark web is still awash with the personal information of millions of children.

The ongoing wave of ransomware attacks has cost companies and organizations billions of dollars and exposed personal information of everyone from hospital patients to police officers. It has also swept through school districts, meaning that thousands of school documents are now visible on these hacked sites.

NBC News collected and analyzed school files from these sites and found that they were filled with children's personal information. According to statistics provided to NBC News by Brett Callow, a ransomware analyst at cybersecurity firm Emsisoft, ransomware gangs released data from more than 1,200 U.S. K-12 schools in 2021.

Some of the schools linked by the breach don't seem to be aware of the problem. Even when schools are able to resume operations after an attack, there is little parents can do when their children's information is compromised.

Some of the data is personal, such as medical conditions or family finances. Other data, such as Social Security numbers or birthdays, are permanent and permanent markers of their identity, and their theft could expose a child to a lifetime of potential identity theft.

Doug Levin, director of the K12 Security Clearinghouse, a nonprofit organization dedicated to helping schools defend against cyber threats, said public school systems are even worse equipped to protect students' data from specialized criminal hacks than many private companies.

"I think it's clear right now that they're not paying enough attention to how to secure their data, and I think everybody's at their wits' end about what to do when they're exposed." Levin said. "And I don't think people have a good handle on how big that exposure is."

Growing problem

For more than a decade, schools have been a regular target for hackers who traffic in people's data, often bundling it and selling it to identity thieves, experts say. But there has never been a clear law on what schools should do in the wake of a hacker stealing student information.

The recent increase in ransomware has exacerbated the problem because if they don't pay, these hackers often post the victim's files on their websites. While the average person may not know where to find such sites, criminals can easily find them.

Scammers can act quickly after the information is posted. In February, Toledo, Ohio, public schools were hit by a ransomware hack in which hackers posted students' names and Social Security numbers online, and one parent told WTVG-TV in Toledo that the person with the information had begun trying to get credit cards and car loans in the name of his elementary-school-aged son.

When hackers broke into the Weslaco Independent School District near the southern Texas border last December, staff acted quickly to alert more than 48,000 parents and guardians. They heeded the FBI's advice not to pay the hackers and restored their systems from backups they keep for such emergencies.

However, because Weslaco decided not to pay, the hackers leaked the files they stole on their website. One still posted online is an Excel spreadsheet called "Basic Student Information," which lists about 16,000 students, about the combined student population of Weslaco's 20 schools last year. It lists students by name, including entries for their date of birth, race, Social Security number and gender, as well as whether they are immigrants, homeless, flagged as economically disadvantaged and flagged as potentially dyslexic.

Carlos Martinez, the district's executive director of technology, said the district's cyber insurance provides free credit monitoring services for employees. But the protections for children whose information is stored by the school and exposed by hackers are even murkier. Nine months later, the Wesla Science District is still trying to figure out what, if anything, to do for students whose information was compromised, Martinez said.

"We have attorneys working on that right now." He said.

Impact unclear

Ransomware hackers are primarily driven by profits and tend to look for targets where opportunities exist. That means the information they post online is often a hodgepodge of scattered files they are able to steal, and even schools themselves may be unaware of what is being stolen and exposed.

The problem is exacerbated by the fact that many schools are simply unaware of all the information stored on all the computers, so they may not realize the extent of the hacker theft. When the Dallas-area Lancaster Independent School District was hit by a ransomware attack in June, it alerted parents but told them that the school's investigation "has not confirmed any impact on staff or student information," Kimberly Simpson, the school's communications director, said in an email. .

But an NBC News investigation of documents leaked from the hack found a 2018 audit listing information on more than 6,000 students by grade and school and whether they were eligible for free or reduced-price meals. Simpson did not respond to a request for comment on the audit.

Sometimes student data is compromised because a third party holds that data. In May, hackers released documents they stole from the Apollo Career Center, a vocational school in northwest Ohio that works with 11 area high schools. The documents included the transcripts of hundreds of high school students from the previous school year, which are now visible.

Allison Overholt, a spokeswoman for Apollo, said in an email that the organization is still working to notify students whose information was compromised.

She said, "We are aware of the incident and are investigating it, and we are providing notification to students and other individuals involved in the information and will complete the notification as soon as possible."

Levine said, "Schools and communities tend to store a lot of data about children and they often don't have the money to pay for specialized cybersecurity experts or services."

He said, "Schools collect a lot of sensitive data about their students, some of it about their students. Some of it is about their medical history. It could be related to law enforcement. It may have to do with broken families. Schools have a solemn responsibility to take care of children, so they collect a lot of data."

Taking action

Parents quickly learn that solving these problems may fall to them. Schools may not even know if they've been hacked or if those hackers have posted student information on the dark web. Federal and state laws regarding student information often do not provide clear guidance on what to do if a school is hacked, Levine said.

That leaves parents and children with little they can do to protect themselves from the possibility of criminals accessing their personal information and using it to commit identity theft or fraud on their behalf. Eva Velasquez, president of the Identity Theft Resource Center, a nonprofit that helps victims of data theft, says the single most important thing they can do is freeze their credit while they are still minors.

"We're supposed to believe that in most cases, all of our data is compromised." Velasquez says, "We've been dealing with data breaches since 2005, they're absolutely everywhere, and just because you don't get a notification doesn't mean it's not happening."

Freezing a child's credit can be time-consuming, and to do it effectively, the process needs to be completed at all three major credit monitoring services, Experian, Equifax and TransUnion. But it has become an important step in digital security, Velasquez said.

"We encourage parents to freeze their children's credit," she said, "and from an identity theft perspective, it's one of the most powerful and aggressive steps consumers can take to minimize risk. It works for children and it's free."