Privacy & Security

Schools Suffered at Least 122 Cybersecurity Incidents Last Year

By Benjamin Herold — February 07, 2019 3 min read
  • Save to favorites
  • Print

The nation’s K-12 schools experienced 122 publicly reported cybersecurity incidents in 2018, more than half of which were caused or carried out by staff or students, and nearly 60 percent resulted in students’ personal data being compromised.

And that’s likely just the tip of the iceberg, according to a report released Thursday by the K-12 Cybersecurity Resource Center, which noted that many more such breaches and attacks likely went undetected or unreported.

“Many of these incidents were significant, resulting in the theft of millions of taxpayer dollars, stolen identities, tax fraud, and altered student records,” reads a press release accompanying the report.

“Ultimately, the goal of policymakers, technologists, and school leaders must be to reduce and better manage the cybersecurity risks facing increasingly technologically dependent schools.”

Over the past two years, a steady stream of breaches and attacks have highlighted public schools’ struggles to secure their networks and protect the sensitive personal information of students and staff. In 2017, Education Week and the Consortium for School Networking jointly surveyed the nation’s K-12 school technology leaders, finding that they underestimated cyber threats and were often failing to take even basic precautionary measures.

The results of that dynamic have been evident in headline-generating incidents, such as a case of two Michigan middle schoolers hacking their school district for more than two years, which was first reported by the K-12 Cybersecurity Resource Center. And the group’s year-in-review summary data now start to quantify the scope of the problem.

Among the key findings in the new report:

  • “Unauthorized disclosures, breaches, or hacks resulting in the disclosure of personal data” were the most prevalent type of incident experienced by K-12 schools accounting for 46.7 percent of the 122 publicly reported incidents catalogued by the K-12 Cybersecurity Resource Center. These incidents included improper disclosures by school staff, vendors, and partners, often the result of human error.
  • Other prevalent incident categories included phishing attacks (15.6 percent of all publicly reported incidents) and ransomware attacks (9 percent.)
  • While students and school staff were the primary perpetrators/cause of such incidents, 23 percent were caused by the loss of control of data by vendors or outside partners, and 23 percent were conducted by unknown actors external to the school community.
  • In 46 percent of the catalogued incidents, staff data (such as payroll and personnel records) were compromised.
  • While the size and location of districts didn’t seem to directly correlate to their likelihood of falling victim to a cyber breach, there were signs that school districts serving fewer students in poverty were more likely to be affected.

And the report also highlights a “top 10" list of K-12 cybersecurity incidents over the past year, including:

  • In Pennsylvania, the state education department suffered a potential breach with its Teacher Information Management System, risking the personal information of 330,000 professional school staff.
  • The Florida Virtual School unwittingly published unencrypted personal information of students and staff, some of which ended up on the unregulated “dark web.” Roughly 368,000 current and formers students, staff, and families were affected.
  • A Massachusetts school district paid a $10,000 ransom, in Bitcoin, after it was hit by a ransomware attack and was unable to access its own email services, school lunch payment services, and website.
  • A Texas school district was scammed out of $2 million in school construction funds, one of numerous incidents (in states also including Idaho, Louisiana, and New Jersey) in which school business officials were targeted in successful phishing attacks leading to district payments being improperly directed to fraudulent accounts.
  • Chicago Public Schools disclosed three data breaches in 2018 alone.

The problem is severe enough that the Federal Bureau of Investigation has issued a warning to schools.

“It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign,” the new report concludes.

“All are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”

Image: Getty

See also:

A version of this news article first appeared in the Digital Education blog.