During calendar year 2019, the center cataloged 348 publicly-disclosed school cyber incidents. That includes malware outbreaks, phishing attacks, denial of service attacks, and more. That’s more than three times the number of similar incidents during 2018.
So why the uptick? The report suggests that it’s due partly to schools’ greater reliance on technology for everything from teaching and learning to day-to-day operations.
Schools were most likely to experience data breaches and other unauthorized disclosures. In fact, these made up 60 percent of all catalogued incidents. Most of these breaches included data about school staff, which can lead to identity theft and fraud.
About half of the data breaches were due to actions of school vendors, regional service agencies, non-profits, or state departments of education. Another 9 percent were thanks to school staff or students. (The report doesn’t delve into how the others originated.)
The second most prevalent type of attack: Malware, which accounts for 28 percent of incidents, or roughly double the number of 2018. Malware, which can cause serious outages, prompted individual schools in Alabama, Arizona, New Jersey, New York, and Ohio to close, according to the report.
Another 8 percent of attacks involved “phishing” schemes. Those can happen when a hacker sends a mass email to staff, pretending to be a district official and asking, for instance, for help in purchasing gift cards. But emailers can also go after employee payroll information, in order to steal employees’ identity and tax information.
Schools that experienced cyber attacks in 2019 were more likely to be in densely-populated areas (like suburbs and cities) and have big student populations. Rural schools, particularly in the central U.S., were less likely to experience attacks. Bigger districts have more technology and more people using it, therefore more vulnerability. And rural districts may be less likely to report attacks.
The report suggests that districts can protec themselves by investing in greater IT security capacity, particularly through training. It also recommends that federal and state governments enact regulations for basic rules to keep data safe and secure, also known as “cyber hygiene,” invest in cyber security tools specific to K-12, and boost cyber security information sharing and research.
Images: Getty, K-12 Cybersecurity Resource Center
A version of this news article first appeared in the Digital Education blog.