Technology has vastly improved the educational world, providing new and exciting ways to learn. But it comes with a price. Once you hit the web, it’s open season for cybercrime. Education data breaches have not only impacted K-12 schools but also colleges and universities, affecting student records through ransomware attacks and other types of breaches across various states.
From 2016 to 2022 alone, there were over 1,600 publicly disclosed cyberattacks on K-12 schools. The consequences of these attacks are significant - monetary losses to school districts range from $50,000 to $1 million per school data breach, according to the Government Accountability Office.
That doesn’t even include the numerous school data breaches in 2023, which we’ll explore in this article. We’ll also look at the different types of breaches, some recent breach examples, and how to protect your school from data breaches in 2023 and beyond. As you’re about to learn, the role of school cybersecurity is more important now than ever. And the numerous laws that aim to protect students’ online data and privacy mean nothing if a cybercriminal can come right in and steal it, highlighting some of the worst data breaches in the education sector.
While data breaches may not always be driven by financial motives, they often involve the theft and exposure of personally identifiable information of students, faculty, staff, families, and third-party vendors. This stolen information can then be leveraged to initiate further cyber attacks, such as those detailed below.
The biggest school data breaches in 2023
The following school cybersecurity attacks were costly, with districts having to invest to regain control of their systems and networks. In these incidents, cybercriminals gained access to school systems by exploiting vulnerabilities, leading to significant breaches. The cost, however, wasn’t solely financial. To underscore the importance of cybersecurity in education, consider the risk of exposing personal data of students, staff and families, as well as shutting down the entire school operation for days.
According to our findings, these are the biggest data breaches in schools and colleges in the US in 2023:
MOVEit breach
MOVEit is a file transfer platform used by hundreds of U.S. schools, as well as government agencies, financial institutions, and many other organizations around the world.
In May 2023, the platform was hacked in a breach believed to have affected at least 161 U.S. schools, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft . In the education sector, some of the MOVEit breach victims include Teachers Insurance and Annuity Association of America, Teachers Retirement System of Georgia, the New York City public schools , and the Minnesota education department.
While the total monetary cost of the MOVEit data breach remains unknown, personal information such as birth, social security numbers, and student ID numbers were accessed from numerous educational organizations.
Some 3,500 American schools, colleges and universities use the MOVEit tool, as is required by the U.S. Department of Education. Its purpose is for the information to be shared with the National Student Clearinghouse (NSA) - certainly not with the general public.
New Haven Public School District, Connecticut
The City of New Haven lost more than $6 million after multiple cyberattacks were carried out on its public schools. While the FBI has recovered over half of that amount, it remains a large sum to reckon with. A prime example of why having proper cybersecurity can save public schools a lot of money in the long run.
The thefts occurred in the summer when attackers impersonated private vendors and the city’s chief operating officer by email. The hackers requested electronic transfers be paid to fraudulent accounts. Six of the recipients paid more than $5.9 million, believing they were paying the school bus company.
Los Angeles Unified School District (LAUSD) Cyber Attack
Another notable data breach in 2023 was the cyberattack on the Los Angeles Unified School District (LAUSD). This incident, which occurred in February, compromised the personal information of at least 2,000 students. The breach involved unauthorized access to sensitive data, including names, addresses, social security numbers, and academic records.
The attackers were able to infiltrate the LAUSD’s network and access a significant amount of student data. The breach exposed vulnerabilities in the district's cybersecurity measures, which were insufficient to prevent such an attack. The compromised information was later found on the dark web, raising concerns about the potential misuse of this data.
The impact of this breach was profound, affecting not only the students whose data was compromised but also shaking the trust of parents and staff in the district’s ability to protect personal information. The LAUSD had to invest substantial resources into investigating the breach, enhancing their cybersecurity infrastructure, and providing support to affected individuals, including credit monitoring and identity theft protection services.
Minneapolis Public Schools
The Minneapolis Public School district revealed that a data breach and ransom attack from earlier in the year affected over 100,000 individuals. The information believed to be breached included names and addresses, social security numbers, state student numbers, and health insurance data.
In this example, the MPS district was given an ultimatum back in February: Pay $1 million or the sensitive information will be released. The information was then uploaded to the dark web, which requires the use of special software for individuals to access and that enables users to be untraceable.
Prince George’s County Public Schools, Maryland
This Maryland School District, with over 130,000 students, fell victim to a cyber attack on August 14. The Prince George County Public Schools breach affected around 4,500 user accounts, primarily those belonging to staff. While details of the compromised data have yet to be determined, it’s known to include “identification details.” No update has been given since the school system revealed back in August that they were reviewing all potentially compromised data.
The PGCPS district ranks among the 20 largest in the country, further outlining its need for stronger school cybersecurity. The district appears to have learned its lesson, however. To improve network security, it announced the wise move of adopting identity theft and credit monitoring services throughout the district.
Colorado Department of Higher Education
Colorado Department of Higher Education (CDHE) fell victim to a huge school data breach that leaked sensitive data of educators and current and former students. The data was recorded over a 13-year period.
The leak in this school data breach originated from an attack that affected the department’s IT systems in June this year. The information that was breached included names, dates of birth, social security numbers, photocopies of government IDs, and even police reports pertaining to identity theft.
No ransomware entity claimed responsibility for this breach and there’s been no statement from the department on whether or not any ransom demands were made. Typically with ransomware, it’s expected that a ransom note would be dropped, with a stated amount and a threat to release the stolen data if the demand isn’t met.
Sweetwater Union High School District
Sweetwater Union High School District was also hacked in 2023 in yet another example of failed school cybersecurity. The breach resulted in a system outage and the personal data of students, staff, and families obtained. While the cyberattack occurred in February, the school didn’t reveal details until four months later. The outage also left staff and students unable to access the Internet and email for multiple days.
Other smaller data breaches
We couldn’t possibly cover every school data breach example that has been committed of late. Bear in mind that not every school is quick in coming forward about these breaches, so by the time you read this, there may have been others that have been uncovered. Here are several more school data breaches that made headlines, including those that resulted from lax school cybersecurity.
- Cleveland City Schools, Tennessee: On August 15, a ransomware attack impacted about 5% of school-connected devices. The district said there was no indication that the attack affected student, faculty, or family data.
- Edmonds School District, Washington: In January 2023, an unauthorized party managed to access the district’s IT system for around two weeks. Personal information of students, parents, faculty, and staff was compromised in this data breach, including dates of birth, driver’s license numbers, financial account information, medical information, student identification numbers, and student records
- St. Landry Parish School, Louisiana: On July 26, the school system’s computer network was hacked. Due to sensitive data being hosted on a separate network, no personal information of teachers, staff, students, or otherwise was stolen in this breach. While school cybersecurity could be improved, they were, at least, wise enough to keep sensitive data contained.
- Lebanon School District, New Hampshire: On June 15, the school was forced to call outside cybersecurity experts to help secure school systems and investigate a ransomware attack. To date, an ongoing investigation into this data breach has found no evidence of unauthorized acquisitions or misuse of personal information
- Clark County School District, Nevada: On October 5, officials said an unauthorized party accessed limited personal information relating to a subset of students, parents, and employees. District officials are unaware of any identity theft associated with this breach and are in the process of investigating and notifying potentially affected parties.
Cyberattacks causing school data breaches
A school data breach can result in compromised data, a break of trust between the school and its students and parents, and financial losses. Unfortunately, these cybersecurity breaches can occur in multiple ways, and hackers are getting smarter about how they access school networks. The following are the most common cyberattacks that lead to data breaches in schools.
Among the worst data breaches, those impacting the education sector have seen significant exposure of sensitive information, comparing unfavorably with incidents like Adobe's breach that compromised 38 million credit card numbers, highlighting the severe vulnerability of student records.
Ransomware
In a ransomware attack, a school receives a message telling them that their computerized data is encrypted and that they’re no longer able to access it. The cybercriminals tell the school that the only way they can reclaim their data is to pay for it, i.e., a ransom.
Of course, simply wishing school cybersecurity had been more highly prioritized doesn’t do any good. As the school is dealing with a criminal, there’s no way of knowing whether or not they’ll be able to access the data again or that the criminal won’t release it anyway. In the event of an attempted breach, the best way to ensure strong school cybersecurity is to prioritize it in the first place.
Email compromise
Email passwords can be easily compromised, as human beings are naturally prone to making errors. And as school cybersecurity training is often inadequate, not enough people have been educated in password safety. Unfortunately, these errors can be costly.
This type of school data breach often occurs because the password is too simple or too easy to guess. Examples of easy-to-guess passwords include the user’s street name, birthday, or pet name. Choosing a secure password is school cybersecurity 101.
Phishing
With phishing, criminal hackers tricks a user into downloading malicious software. In order to download it, the user is prompted to provide sensitive information or to click on a link. The hacker usually pretends to be a legitimate party, like the bank or a boss, and tells the recipient that it’s important for them to react quickly.
Once a phishing attack on a school has been successful, you have given the criminal the keys to your castle and given them access to your system and data. Additionally, because school devices are interconnected, one person falling victim to a phishing scam puts the entire network at risk.
Stolen credentials
Similar to email compromise, stolen credentials result from weak passwords, phishing attacks, and compromised password reuse.
When protocols and apps send login details over a network, it can pose a serious school cybersecurity threat. If an attacker has managed to connect to the network, they can find and use the stolen credentials.
Distributed Denial of Service (DDoS)
A denial-of-service (DoS) attack is an effort to take down a service or network by giving it more traffic than it can handle. A distributed denial-of-service (DDoS) attack works by taking over devices (often by using botnets).
A DDoS assault is commonly used to create chaos for the victim and interfere with corporate activities. While they can’t technically be termed breaches, these assaults can cover for other attacks occurring elsewhere, further highlighting the importance of strong cybersecurity.
Why the education sector is an easy target for cyberattacks
Why is it that cybercriminals are particularly drawn to schools when surely there are bigger institutions to target? There are a number of reasons why cybercriminals choose to attack schools, which is why having strong school cybersecurity is so critical. Let’s explore some of the reasons that make schools such an easy target for cybercrime.
Education data breaches have shown a significant impact on educational institutions, highlighting the vulnerability of student records and the widespread consequences of such breaches across various states and types of educational institutions.
Poor funding and limited training
The education sector is among the slowest to adopt modern cybersecurity. This is largely due to insufficient funding, resulting in outdated technology. Because public schools are government-funded, they often face budget constraints. This often leads to school cybersecurity taking a back seat to infrastructure, staff salaries, and school resources. Two out of three EdTech leaders feel their district needs more resources to deal with cybersecurity issues.
It isn’t just secure technology that schools are short on, but also training. Never mind not having an I.T. team trained in cyber security - many schools don’t have a single staff member solely responsible for data security. Worryingly, some 26% of teachers say they haven’t received digital privacy or cybersecurity training.
Large numbers of users
Large numbers of people can access school networks and systems, and nearly all devices are connected. Many users also have access to school platforms outside of the network (i.e. at home), with some using their own devices. This makes these networks much larger, more vulnerable, and harder to defend against cybersecurity attacks. Teachers, staff, and students need to be made more aware of the risks when it comes to phishing and other methods of cybercrime.
Trusting targets
Email is one of the most popular ways that hackers look to source data. Cybercriminals love to attack .org and .edu email addresses, as they’re regarded as being more trustworthy than .com. Additionally, teachers and staff regularly download content sent by email, and would unlikely be suspicious about an attachment that appeared to be sent by a school administrator or colleague.
Valuable research data
Universities are known to conduct cutting-edge research. Some of their intellectual property (IP) is worth millions of dollars. While these researchers are preeminent when it comes to making discoveries and developing techniques, they can be lacking in school cybersecurity knowledge, which can make their research vulnerable to a data leak or cyber attack.
Open-source websites and vulnerable technology
Schools still use open-source solutions for their content management systems (CMS), such as WordPress and Drupal. This makes them vulnerable to bugs being used for uploading malicious files to affected websites.
Without sufficient support and oversight, an open-source website can give hackers access to sensitive data. While one of the more popular CMSes, WordPress is a common target for these kinds of attacks.
Poor device distribution practices
Faculty, staff, and students download and access resources and extensions while off-campus, not contained within the limits of their institution’s IT and school cybersecurity policies. As they download software and apps onto mobile devices and laptops, they unwittingly create insecure access points for dangerous malware and suspect networks. Schools simply haven’t emphasized best practices for device distribution sufficiently.
Protect your school system with Prey
Cybersecurity is important in any sector, but it’s perhaps more so in education. Hackers not only compromise the safety of administrators and teachers, but they also threaten the privacy of students - primarily minors - their families, and their future
Whether remotely or at schools, today millions of students use technology to learn. This emphasizes the need for solid school cybersecurity strategy. Each school is responsible for taking the necessary security measures to protect their students, teachers, and staff from cybercrimes.
At Prey, our goal is to work closely with you to create unbreakable device security and management in your educational institution. Our solution is perfectly placed to assist you in creating a more secure environment for your staff, teachers, and students, so they can feel safer in exchanging information and knowledge with their personal data remaining private and secure.
To address the best approach on how to secure your remote fleet and potential disruption, contact Prey today.
Juan is Prey's Content Specialist. He researches interesting and relevant information related to cybersecurity, and explains it in a way that everyone can understand it and make use of it.