In today’s data-driven world, we are constantly giving out our personal information to websites and organizations to help automate, transfer, and verify certain processes. This information or data is often confidential or private, ranging from medical records and financial info to personal details such as an address. Often information like this is needed for primary schools and universities, and as a result these institutions typically hold large databases of their students’ personal information.
Unfortunately, as useful as these databases are for automating processes and maintaining records for schools, this trove of information makes these databases big targets for what is known as a data breach.
What Are School Data Breaches?
Currently, in the midst of the digital age, we could ensure that many universities and schools know about digital security and its risks. However, do they all really take the necessary steps to stay safe from cyberattacks? The world of cracking and cyber piracy is a reality that is growing and is a third-world risk.
School data breaches occur when either a malicious internal user or external attacker(s) gain unauthorized access to confidential or sensitive information within a school’s database. On occasion, these third parties can obtain data they shouldn’t have on accident. Typically in these cases it’s an internal user accidentally viewing data they shouldn’t normally have access to. Even if no information is taken down, this data is still considered “breached”, the security bypassed.
However, in most instances, these types of breaches are of less concern to schools than ones with mal intent. And they’re far more common than one might expect. A report released by Verizon found that, in 2021 alone, more than 40,000 security-related incidents took place. From that number, in more than 2000 opportunities data was leaked, violating the privacy of users and companies.
How Does a Data Breach Affect Schools and Universities?
School and university data breaches are problematic because bad actors can use personal information for their own gain. Fundamentally, it can be scary to know that a stranger could have your name, address, or bank information! There are very real anxieties that come from just knowing that your information is out there. But more importantly, data breaches can have real-world consequences for those who attend a school that’s been targeted.
On an individual level, data breaches often target personal information with the goal of selling it on places like the dark web or using it to further access various accounts and information. This information can act as an open door to a private room for cybercriminals. Beyond explicitly using things like bank account numbers to siphon money, these attackers are capable of doing a lot of damage with very little information! Even with just a name and email address, cybercriminals can attempt to access social media accounts or impersonate you to gain access to more valuable accounts. And it’s that much easier if they see things such as your social security number.
Perhaps worst of all, hackers can gain access to enough personal information to steal someone’s identity, presenting a whole host of potential legal challenges to overcome.
On an institutional level, data breaches at schools and universities can expose confidential information, as well as a school’s finances. And in many cases, an organization’s reputation may take a hit from a data breach, regardless of whether or not they took appropriate security precautions. This is arguably more important for business and financial institutions, but reputation still matters for schools trying to safeguard the personal information of their students.
While it may feel more logical for hackers to attack universities, there are still plenty of cybersecurity risks for K-12 schools as well. According to an analysis done by NBC News, over 1200 K-12 schools had stolen data published online by ransomware attackers. Personal data leaks of younger students offer all the same risks as older ones, even if they may not even have their own bank or social media accounts. In some cases breaches of social security numbers and personal information of students can follow these younger children for years after they occur, leading to many issues down the line.
What Are The Possible Causes of Data Breaches in Schools?
Email Mishaps
Attackers have plenty to target from schools because in today’s modern world these institutions often require their students to create accounts. While obviously quite convenient, the unfortunate downside to these accounts is that they contain information that can be used and exploited. For example, educators often send mass emails containing things like test schedules or upcoming events, and while this is an easy way to broadcast storable information, it also presents an easy bulk of targets for potential hackers.
Phishing Attacks
Another very common cause of school data breaches is what is known as phishing attacks. Phishing attacks can occur in a variety of ways. Commonly, malicious emails disguised as normal messages contain links that include malware or ransomware. It is important for schools to warn students to keep vigilant and carefully read the contents of an email and check if the sender is someone they trust before clicking on any links. Phishing attacks can also occur when students browse banned or unsecured websites. The sites often contain sketchy links that contain malware but are even capable of infecting data just from the initial click to jump to a website.
Intentional Liabilities
In less common cases, unethical actions have been taken by a student of a school, leading to an intentional data breach. While it is unfortunate, sometimes a student may feel a personal slight towards their institution and take action to harm its reputation through a data breach.
Human Error
Sometimes human error can lead to easy access for hackers, and this is, unfortunately, more common than institutions would like. Perhaps most importantly, many schools and university data breaches could be avoided if there was more time and money invested into the resources and training preventing these types of leaks.
Statistics on School Data Breaches
Verizon released a comprehensive report last year investigating thousands of data breaches across the U.S. in 2020. Here are a few important statistics regarding school breaches:
- Across the board, there were 1,332 incidents, 344 of which resulted in confirmed data breaches
- The vast majority of school data breaches came from a form of phishing or social engineering known as ‘Pretexting’, where the attacker comes up with a story to fool the victim into giving up valuable information
- External threats constitute 80% of these data breaches
- 96% of the breaches were financially motivated
- Students suffered the most from these breaches, as 61% of the compromised data was personal
Examples of School Data Breaches
In March 2021, hackers broke into the Broward County Public School District of Florida and demanded $40 million in ransom. After the school district refused to pay, the hackers published almost 26,000 stolen files for public viewing. Many of the files published pertained to accounting records and district finances and included invoices, purchase orders, and reimbursements. While the district initially claimed that no social security numbers were leaked, it was later revealed steps were taken to hide the fact that the personal information of 50,000 students and employees of the district man have been stolen through ransomware attacks. This story is a good example of how widespread data breaches can be, and how harmful institutions view them to their reputation.
Another recent data breach occurred at the University of Kentucky, which was only uncovered when an annual inspection of cybersecurity capabilities revealed a vulnerability. It was discovered that more than 355,000 email addresses belonging to people across the world were leaked. The database was not limited to the University of Kentucky, as it held information for a free resource program used across the state and even outside of it. In some cases, more personal information was leaked beyond just name and email address. However, victims of the breach caught a bit of a break when it was determined the leak contained no financial, health, or Social Security information. While the school had already spent upwards of $13m over the past five years, the university has since pledged another $1.5m to address inadequacies.
In early 2021, the University of California school system was part of a massive global data breach where malicious actors gained access to a third-party file transfer appliance (FTA) used by many organizations and businesses. The leak affected UC nearly everyone tied to the school system, from employees and their dependents, retirees and donors, as well as students and even current applicants. A whole host of personal information was stolen in the attack, including personal document numbers and financial account information. All told it was one of the largest data breaches of the last year. While handing over automated processes like file transfers to third-party companies is often necessary for organizations to operate coherently, data breaches such as this are important reminders to properly vet the cybersecurity capabilities of outside companies.
How To Prevent a School Data Breach
There are a number of steps a school or university can take to help prevent data breaches. No one solution exists to stop all data breaches for good; instead, it’s important to take a variety of actions and consistently evaluate and update any cybersecurity measures taken, as well as maintain up-to-date training for both students and educators. Here are a few effective ways you can improve your school’s cybersecurity:
Don't leave loose data
- There is a lot of information about your students on the net. Some they’ve provided themselves—like an email address or full name when they sign up for a Facebook or Linkedin account, for example—so they already know they're there, but there are many more they probably don't even know to exist. It’s important for students and educators to keep track of where they are leaving this data.
- Using a VPN and an anti-tracking service disables many (but not all) of the tools these websites and companies use to track you and collect your data
Use a digital card for your school online purchases
- Leaking some of your data is bad enough, but there's no denying that some — like credit card numbers or bank details — are more problematic (and valuable) than others.
Set a Google alert in your students' accounts
- While you can't do anything to ensure that the services and websites your students use are always secure, you can be on guard to react when these breaches happen, which is unavoidable. A good way to do this is to set up a 'data breach' or 'data leak' Google alert - students will get lots of news and links on the subject, but they’ll also find out within 24 hours if any new services or websites have suffered a leak.
Act Fast
- If you have discovered that a data breach has occurred and vital information such as students' passwords has been leaked, don't panic. Instead, start making calls to administrators and IT professionals who may have a better handle on the situation. Additionally, make any necessary changes as soon as possible, such as instructing students to update passwords.
Multi-Layered Security Strategy To Prevent School Data Breaches
One very important tool that schools and universities have at their disposal to prevent data breaches is what’s known as a multi-layered security strategy. These strategies are not single, catch-all wizardry that will prevent and restore any data breach, but rather a comprehensive plan to deploy against these attacks ahead of time. It’s important for educators and administrators to have a plan and take as many precautions as they can, and multi-layered security strategies are one way to do so. These strategies can include
- Privileged access security solutions to monitor and control access to privileged system accounts, which are frequent targets of malicious internal users and external attackers.
- Multi-factor authentication solutions strengthen identity management, prevent identity theft, and reduce risks related to lost or stolen devices or weak passwords.
- Endpoint threat detection and response tools to automatically identify and mitigate malware, phishing, ransomware, and other malicious activities that can lead to data breaches.
- Least privilege management practices closely align access rights with roles and responsibilities so no one has more access than they need to do their job. This helps reduce attack surfaces and contain the spread of certain types of malware that rely on elevated privileges.
There are many providers out there that offer up comprehensive solutions incorporating many of these installation tools mentioned above. While it can seem daunting to set these security solutions up, rest easy that they are easier to pick up than anticipated! Prey offer comprehensive packages that can provide hassle-free security to educational institutions, leaving administrators, educators, and students.
Norman Gutiérrez is our Security Researcher at Prey, one of the leading companies in the security and mobility industry, with more than 8 million users worldwide. In addition to this, Norm is Prey's Content and Communication Specialist, and our Infosec ambassador. Norm has worked for several tech media outlets such as FayerWayer and Publimetro, among others. In his free time, Norman enjoys videogames, cool gadgets, music, and fun board games.