- Legislative audit warns cyberattackers continue to target schools.
- Auditors conclude Utah's K-12 school districts and colleges can do more to fortify cybersecurity.
- Past cyberattacks have exacted costly tolls at several Utah schools.
Keeping Utah’s K-12 schools and college campuses safe goes beyond physical threats to students, faculty, staff and property.
In 2025, schools must be constantly vigilant against cyberattacks.
That’s the cautionary message emphasized in a performance audit report presented Thursday to the Legislative Audit Subcommittee.
Cybersecurity threats such as ransomware, data breaches and email fraud are increasing realities in public education — evidenced by a pair of recent cyber breaches at a pair of Utah school districts that resulted in financial losses and exposed student data, according to a report prepared by the Office of the Legislative Auditor General.
Reported “cyber incidents” in public education in the U.S. jumped from 400 in 2018 — to 1,300 in 2021.
“Cyberattacks in other states,” the audit warns, “demonstrate the possibility of consequences on an even larger scale in both public and higher education.”
More can be done to protect Utah’s public schools — both in K-12 and higher education, the audit concluded.
Prioritizing cybersecurity in Utah schools
Legislative auditors found that Utah’s local education agencies — or LEAs — are not fully implementing baseline cybersecurity practices, leaving school systems vulnerable.
“Testing and statewide surveys found significant gaps in incident response planning, training and patch management, with smaller districts lagging furthest behind,” the audit summarized. “Barriers such as insufficient staffing, limited resources and lack of prioritization continue to hinder progress.”
Auditors suggested Utah lawmakers facilitate improvement by “studying possible minimum cybersecurity standards and solutions to LEA’s cybersecurity challenges.”
Utah’s higher education institutions, meanwhile, have largely adopted high-impact practices — but vary in implementing broader cybersecurity controls.
“Weaknesses are most evident in web and email safeguards and in cybersecurity training, both critical areas exploited by attackers,” according to the audit.
“Oversight and accountability are also inconsistent, as institutions differ in how they develop and communicate information security plans.”
Auditors recommended that the Utah Board of Higher Education clarify its institutions’ roles and responsibilities in ensuring cybersecurity.
“Stronger governance and more consistent baseline protections would help protect sensitive student, financial, and research data.”
Utah schools counted among cyberattack victims
The legislative auditing team found that Utah’s LEAs can be more vigilant in defending against cybersecurity threats.
The solution? Start by providing enhanced guidance on key cybersecurity controls and standards.
“The Legislature should consider studying possible minimum cybersecurity standards for LEAs,” the audit recommended. “The Legislature should also consider studying how to address persistent barriers to LEA cybersecurity, such as low prioritization of cybersecurity, inadequate staffing, and challenges in training and retaining skilled personnel.”
The report cited cyberattacks on two Utah school districts and a vendor that provides services to many school districts in the state.
In one district, an attacker successfully infiltrated its system and began stealing data. The district spotted the attack and limited the damage — but data for approximately 450,000 students and 30,000 employees was impacted.
Ultimately, the school district had to pay $150,000 to their cyber insurance provider and dedicate “significant amounts” of technical staff time to recovery. Seven full-time equivalent district employees spent about 75% of their time over several months to recover from the attack, the audit reported.
“This is significant because LEAs told us that staffing is a barrier to improving cybersecurity. Instead of improving cybersecurity controls, this district was forced to respond to an attack.”
A cyberattack last year on another Utah school district exacted a recovery cost estimated at up to $150,000.
“The attacks on both school districts could have been prevented by more fully implementing multifactor authentication,” the audit reported.
Additionally, an education software vendor reported a breach in 2024 that affected the data of customer LEAs in Utah.
“It may have been the largest breach of personal information for students nationwide. Attackers were able to access systems because MFA was not enabled on a compromised employee account,” according to the audit.
The Legislature, recommended auditors, can study possible solutions to the difficult cybersecurity challenges facing Utah’s LEAs — “like insufficient prioritization of cybersecurity, staffing, training, and recruiting and retaining skilled personnel.”
If the Legislature studies this issue, the audit added, it should take into account the differences between large and small school districts in cybersecurity capabilities.”
Higher education institutions at risk for cybercrime
Cyber criminals are also targeting colleges and universities — and bad actors are becoming increasingly sophisticated.
Thursday’s audit reported that the Utah System of Higher Education includes a wide variety of institutions serving more than 200,000 students — and each school operates complex IT systems that are attractive targets for cyberattacks.
Fairly recent incidents in Utah and across the nation — including ransomware attacks, data breaches, and other compromises — demonstrate the significant financial and operational consequences such events can have on higher education.
Utah schools, according to auditors, are implementing cybersecurity controls — “but can do more to ensure compliance and further progress in adopting baseline cybersecurity controls. Unaddressed weaknesses could expose the system to costly attacks.”
Utah’s colleges and universities should ensure they are following state policies — while also developing plans for implementing their specific cybersecurity controls, according to the report.
The Utah Board of Higher Education should ensure adequate oversight of cybersecurity at member institutions by clarifying policy, suggested auditors. “While USHE institutions have successfully implemented certain basic cybersecurity practices, more can be done to improve core cybersecurity controls and cybersecurity oversight within USHE.”
Utah counted among states targeted by cyberattacks.
In 2020, the University of Utah’s College of Social and Behavioral Science experienced a ransomware attack on its servers. The university paid a $457,000 ransom, most of which was reimbursed by their insurance provider, according to the audit.
In that University of Utah incident, the school spent about 5,000 hours of staff time resolving the issue.
Meanwhile, the USHE reports that a different institution had a data breach in 2021 where they had to notify about 3,800 people and had direct costs of $25,000.
The audit applauded institutions for using multifactor authentication on their systems.
“We are encouraged by the recurring cybersecurity assessments USHE institutions have been doing on each other for over a decade. Cybersecurity personnel from USHE institutions test the defenses of other institutions regularly. This shows good leadership and collaboration.”
Legislative auditors recommended that the state board clarify roles in its cybersecurity policy — including compliance accountability — for its institutions.
Additionally, auditors recommended that the Legislative Audit Subcommittee consider including cybersecurity and validation as part of current and future audits performed by its auditors.
USHE Commissioner Geoffrey Landward told the subcommittee Thursday that his office agrees with the report’s recommendations for higher education — calling it a “critical audit.”
“As the auditors have pointed out, while we have made strides as a system of higher education, there are areas for improvement,” said Landward.
“We’re grateful for the opportunity to partner with legislative auditors, and the resources they bring, to help us identify where we can still improve.”