Big. Wealthy. Suburban. Those are the school districts most likely to report a data breach, according to a report released Thursday by the Government Accountability Office, Congress’ investigative arm. Cybersecurity is an especially sensitive issue right now, as schools around the country are operating virtually to avoid spreading COVID-19.
The agency found that districts where 25 percent or fewer students are eligible for free or reduced-price lunch comprised 26 percent of reported breaches, although they make up only 15 percent of all districts across the country.
And it found that suburban districts were more likely to be the target of attacks than urban or rural districts. Suburban districts made up 61 percent of districts with breaches, although they are only 39 percent of school districts overall. On the other hand, rural districts comprised 21 percent of districts with reported breaches even though they make up 42 percent of school districts overall. Urban districts comprise 19 percent of all districts, but 17 percent of districts with reported data breaches.
What’s more, larger districts also tend to be targets of reported attacks more often than smaller districts. School districts with fewer than 1,000 students comprise 60 percent of all districts, but just 18 percent of those with reported hacks. Meanwhile, districts with more than 10,000 students make up just 5 percent of districts overall, but comprised 30 percent of reported hacks,
Why might that be? Experts who spoke to the GAO said that, for one thing, it might be easier to target larger districts since they are likely to have more staff members and, therefore, more people to respond to a potential phishing email. And bigger, wealthier districts are more likely to use more technology than smaller, poorer districts, which also provides more opportunities for a breach. Wealthy, large, suburban districts are also more likely to have people constantly monitoring their networks (such as a chief technology officer) and may notice an attack which less well-resourced district may not.
More than half of data breaches are intentional, the report found, while about a quarter are accidental. When the breach was intentional, students were most often responsible. And grade changes were the most common motivation. When the breach was an accident, staff were most often responsible. For instance, staffers might email data to the wrong recipients or post it on a public website, which is considered a breach.
The GAO’s analysis relied on data from the K-12 Cybersecurity Research Center, which you can check out here.
A version of this news article first appeared in the Digital Education blog.