The district’s new chief thought spring was too late for such a drastic move: Parents had already made plans for the fall term.

“I thought, ‘Why are you closing a school right now? ’ ” Dorland said. “ We’re preparing for next year.”

Enrollment at , a school in Arvada, outside Denver, hovered around 100 students — representing a 45% drop since 2017. Some grade levels had dwindled to a single classroom and the district was losing money on basic services like busing and lunch. Most extracurricular programs had disappeared.

But closing schools was “political suicide,” Dorland thought.

Then she started visiting classrooms herself. “We had families deciding to leave these small schools even though they loved them,” she said. 

Since her arrival, Jeffco has shuttered 16 schools. Four more are slated to close at the end of the school year.

School communities forced to say goodbye to legacy institutions go through something akin to the stages of grief. Residents with emotional ties to schools their parents and grandparents attended frequently push back. But Dorland has earned respect for a straightforward approach to a process leaders will confront in the coming years. While implementing a daunting closure plan, she didn’t ignore the human cost, assigning staff members to ease both principals and families through the transition.

“A lot of people don’t have that muscle — to just look someone in the eye and say, ‘I know this is devastating, but I’m looking at the district as a whole,’ ” said Trace Faust, senior project director at the Keystone Policy Center, a Colorado nonprofit that held community meetings to discuss the closures. “That’s a bold thing to do, and that’s what districts need right now.”

In Colorado, as in much of the nation, experts chalk up enrollment declines to a drop in birth rates and housing prices that remain out of reach for most young families. The “gateway to the Rockies” is such a desirable place to live that older after their children grow up, leaving fewer houses on the market. 

A need to grieve

At Fitzmorris Elementary, one first grade class had just five students. Small schools lacked their own music and physical education teachers. And afterschool providers canceled programs because only a handful of students signed up.

After a second last-minute vote to shut down Fitzmorris in the spring of 2022, board members decided they could no longer address closures piecemeal. The district recommended shutting down 16 schools and held a series of community meetings before casting a final, unanimous vote in November. The timing gave families the rest of the school year to absorb what the changes would mean for their children.

But some of those gatherings didn’t get off to a great start. With talk of “re-envisioning” schools and the benefits of consolidation, the staff from Keystone was several steps ahead of the community — even “tone deaf” to parents’ concerns, Dorland said. 

Faust agreed those first meetings “honestly missed the mark. The community needed to grieve and needed to be mad.”

That’s when principals began to take a larger role in the conversations. School leaders could “get the room back together if things were going sideways,” Faust said. Some stationed themselves in their school libraries for days to talk to parents one on one.

What Dorland didn’t want, however, was parents coming to the forums hoping to get leaders to reconsider. 

“I don’t believe in pretending like communities have a choice when they don’t,” she said.

‘Don’t want a mass exodus’

That left some parents feeling shut out. Families from Kullerstrand Elementary, a Title I school in the Jeffco city of Wheat Ridge, wrote letters and protested at public hearings.

“Their minds were already made up, which was really sad,” said Kim St. Martin, Kullerstand’s former PTA president. 

After the board’s latest vote in October to this spring, some parents threatened to leave the district. 

“That’s a tricky situation, because we don’t want a mass exodus,” said LaVerne Manzanares, a former reading specialist who now helps families with children attending new schools.

Michael Zweifel, a former principal whose school, New Classical Academy at Vivian, was one of those closed, also shifted to a new role. She began supporting administrators at “receiving” schools that suddenly had to accommodate more cars in their parking lots and students in the lunch line. They’ve opened up spots on school leadership committees for teachers from closing schools, and held ice cream socials, movie nights and picnics for families to meet.

The closures were especially jarring for families in Wheat Ridge, a tight-knit community between Denver and the Rockies. The district closed three of the small city’s elementary schools, sparking anxiety about the future of its local high school. 

Alanna Ritchie, whose first grader attended Wilmore-Davis Elementary, was among who wanted Wheat Ridge city council members to pressure district leaders to change their minds. During a September 2022 council meeting, she warned the mergers could lead to the opposite problem — overcrowding — and that some of the receiving schools couldn’t accommodate additional traffic.

The convenience of walking to school is a “right” that was being “ripped away from our own children,” she said. “Small, connected neighborhood schools — it’s what defines us as a true community.”

St. Martin, the former Kullerstrand PTA president, still gets choked up over losing her neighborhood school. It was important to her, she said, that her children attended a more racially diverse school. Now they attend predominantly white Prospect Valley Elementary.

“Selfishly, I loved my relationships,” she added. “You could talk to any teacher.” 

‘Day and night contrast’

While some parents wish they could have had more say over which schools closed, experts say Dorland’s plan was better than leaving families in limbo. Brian Eschbacher, an enrollment consultant, said the uncompromising way she managed the closures is a “night and day contrast” to how Denver Public Schools, her previous employer, handled a similar issue.

Denver leaders a definitive list of schools to be closed last school year. They from the community, but ultimately abandoned a closure plan in the face of emotional appeals from parents.

Denver’s union-backed school board placed a lot of the blame for enrollment loss on . But Eschbacher, who previously led planning and enrollment services for the district, said the city has contributed to enrollment decline by continuing to approve construction of luxury that don’t attract families with young children. 

“I always tell boards, ‘This is outside of your control. This is about births and housing, and you don’t control either,’ ” he said.

Meanwhile, the challenges that defined Dorland’s early tenure aren’t over. Her plan to close two K-8 schools — Arvada and Coal Creek — has strong opponents, including Danielle Varda, the only person on the five-member board to vote against closure. She thinks the decision to shut down the two schools was rushed. Closing Arvada K-8 will cause further disruption for students who have been through previous mergers, she told the board. The district would also have to expand programs for English learners and immigrants at other schools when Arvada K-8 already offers those services.

“This plan perpetuates systemic oppression that these families have faced much of their lives,” she said.

Dorland acknowledges that parents in Wheat Ridge, where families have lived for generations, are “probably still angry.” She wishes she had done more to help city and county officials understand why the district couldn’t put off closing schools any longer. But once the decision was made, the consolidation process moved quickly.

“We had run out of runway,” she said, “and we had to take off.”

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told ����Ӱ��. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by ����Ӱ��, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with ����Ӱ��, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.” 

Beyond outreach to parents, the hacker — which could be one or multiple people — on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.” 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.” 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.” 

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.” 

He pointed to the company’s , which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told ����Ӱ��. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.” 

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.” 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.” 

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told ����Ӱ��.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.” 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”