Jul 08 2025
Security

ISTELIVE 25: District Shares Lessons Learned From a Ransomware Attack

Judson Independent School District leaders detailed how they responded to a 2021 cyberattack.

Ransomware attacks on K–12 schools are growing, rising 69% across the education sector from Q1 2024 to Q1 2025, according to Comparitech. But as CoSN’s 2025 State of EdTech District Leadership report notes, only 13% of respondents perceive ransomware as a high risk.

“It isn't if it's going to happen to you, it's when it's going to happen to you,” said Lacey Gosch, assistant superintendent of support services at Judson Independent School District in a discussion at the ISTELive conference.

Gosch, along with Matthew Fields, executive director of technology at Judson ISD, spoke to attendees about the Texas district’s 2021 ransomware attack, explaining how they responded in the immediate aftermath of the attack, the steps for long-term recovery and how the lessons learned from that experience can advise other K–12 districts in shaping their cybersecurity strategies.

Click the banner below to explore technology solutions presented at ISTELive 25.

 

Assemble Your Team and Assess the Damage Following the Attack

Gosch assumed her role at Judson ISD in May 2021. Six weeks later, she got a call that every IT professional dreads: There had been a ransomware attack.

The first action Gosch and her team took was to notify the proper authorities, including local law enforcement, the FBI and the Southwest Texas Fusion Center in San Antonio. They then sent out communications to staff to prepare them for what was ahead and instruct them about what to do next. Then they got to work unplugging devices across the district.

“One of the huge things that was a benefit to us was our relationship with our vendors,” Gosch said. “We could not have done this without the vendors. We had vendors that came with workers to help walk through 40 sites and start unplugging things and collecting items.”

At this point, the team worked to uncover just what data had been compromised, what had been backed up and what could still be secured. Practicing an incident response plan before its needed can be beneficial when a situation like this occurs, Gosch said.

“There's a lot of moving parts that go really, really fast,” she said. “Do tabletop exercises with your staff, so that they understand that when this happens, the circle of trust includes these people.”

DISCOVER: An incident response plan is essential to K–12 cyber resilience.

During a cyberattack, communications need to be tightly monitored, which means staff members who might think they should be involved and informed might actually be left in the dark, for good reason.

“The less information that gets out of that room, the better off you are,” Gosch said. “The only information that needs to come out of that room is what people need to know on the other side of the room to help you get to the other end.”

Determine How to Protect the Stolen Data

In the days following the ransomware attack, Gosch, Fields and their team worked around the clock to assess the damage and determine where the attack originated, all the while communicating with the school board and administrators.

“Be prepared to talk to them and tell them what happened and your plan to move forward,” Gosch said. “You need to have that running around your head and what that looks like in terms of cost, because they are going to have to provide some immediate funds in order to begin your work.”

WATCH: A Texas school district incorporates cybersecurity training into its coursework.

The team also contacted the cyberattackers to determine the types of files that were compromised and where the data came from. They found that most of the data was taken from hard drives, as the district hadn’t yet moved to the cloud. Luckily, the district’s backup strategy meant the impact was not as severe as it could have been.

“We had tape backups of everything,” Gosch said. “In fact, we ended up only losing one day of data.”

Still, the criminals, connected to a large ransomware group that targeted educational institutions, Gosch said, wanted their ransom, and the organization’s reputation worried the district and its vendors.

“First and foremost, what we do as educators is protect kids,” Gosch said. “We knew that they had kids’ information or they had employee information, and at that point, we didn't know how much. It took us over a year to mine the data, and 600,000 individuals were affected by the breach itself — in all 50 states and Puerto Rico.”

Because of this impact, the school board ultimately instructed the team to pay the ransom to prevent the release of the data.

Make Changes to Procedures Based on Lessons Learned

The district’s backup system ensured that the data loss was minimal, but since the attack, the district has switched to an immutable backup system, Fields said. They also updated their wireless network and improved port security across the district.

READ MORE: Purple team exercises can help districts proactively address cyberthreats.

“We ended up taking a lot of that time to go back and look at our online policies,” he said. “We have no shared drives. Everything is pretty much cloud-based, other than the data that we need specifically onsite, which is monitored.”

The district’s cyber insurance policy requires multifactor authentication to access devices, Fields said, and they made choices to prioritize user preference as well as security.

“We actually use a hardware key rather than a software multifactor,” he said. “We have people who don’t want to use their phone. On top of that, a hacker can’t get ahold of something virtual, they have to have it in their hand.”

A cybersecurity attack is a high-stress situation that can take a toll on employee mental health.

UP NEXT: Read the latest cybersecurity research from CDW.

“Make sure that you have contacts and information for mental health people for your team, because it really takes a toll, especially when you're working in a locked room,” Fields said. “It’s really hard when you're working in a room 14 hours a day trying to undo something that somebody did to make sure you couldn't undo it.”

Ultimately, Gosch said, it’s important for IT leaders to recognize the roles they play in these scenarios and take responsibility for their teams both before and during an attack.

“Make sure that whoever it is that you're reporting to understands that you carry the weight of responsibility,” she said. “If somebody's system is compromised, it’s on you. Make sure that you communicate to your team, ‘This is going to happen to us. My goal here is to make sure it doesn't happen to us like it happened somewhere else because I’ve heard what it costs.’’’

Visit this page to catch up on all of our ISTELive 25 coverage, and follow us on the social platform X @EdTech_K12 for a behind-the-scenes look at our coverage.

miniseries/Getty Images
Close

New AI Research From CDW

See how IT leaders are tackling AI opportunities and challenges.