K-12 Schools Experienced 1 Cybersecurity Incident Every 3 Days in 2018

The K-12 Cybersecurity Resource Center documented 122 cybersecurity incidents that impacted public K-12 school districts in the U.S. in 2018. That means roughly one new incident every three days of the calendar year. And that may be just the tip of the iceberg, experts say, as it’s likely that many more school breaches or attacks were either not detected or not reported. Learn how you can better protect yourself and your school-aged child.

60 Percent of School Data Incidents Resulted in Students’ Personal Data Being Compromised

Student data was exposed in more than 60 percent of K-12 data breaches in 2018.  Unfortunately, schools can be tempting targets for cybercriminals, as they typically store a mountain of personally identifiable information (PII) of both students and staff members, which hackers can collect and then sell online.

In one report that analyzed security incidents affecting educational institutions in five countries, experts found that an estimated 70 percent of cybersecurity incidents in education were motivated by financial gain. The report found that 72 percent of the data compromised in attacks was personal, 14 percent was some kind of secret, and 11 percent was medical in nature.

Stolen personal information belonging to children has already been found for sale on the dark web by security researchers—presumably for use by identity thieves. Although the exact source of data available on the dark web can be difficult to parse out, it may have originated from past school data breaches.

With the ever-growing adoption of technology in schools, K-12 cybersecurity incidents are expected to become both more frequent and potentially more significant.

Cyber Attacks Impact School Districts of All Sizes and in All Locations

According to the K-12 Cybersecurity Resource Center, cybersecurity incidents in K-12 schools do not seem to discriminate by community type, school district location, or school district size.

The state of Kentucky, for example, experienced more than 4 billion attempted cyber attacks on its K-12 computer systems in 2018, according to a hearing before the House Committee on Education and the Workforce. Most of those attacks were the result of email phishing scams that targeted school staff.

As an example, a 2018 phishing attack against California’s San Diego Unified School District  resulted in the theft of information of more than 500,000 students and staff. Hackers accessed Social Security numbers, first and last names, dates of birth, addresses, phone numbers, student schedules, disciplinary records, health information, and even detailed information regarding the students’ parents or guardians, including first and last names, phone numbers, addresses, email addresses, and employer information.

Experts estimate that during 2018, school security breaches resulted in the theft of millions of taxpayer dollars, stolen identities, tax fraud, altered school records, website and social media defacement, and the temporary loss of access to school technologies and IT systems.

What Are Schools and Lawmakers Doing to Protect Student Privacy?

The U.S. Department of Education states that it is working to help educators better safeguard the security of student data. The Family Educational Rights and Privacy Act (FERPA) is one step in that direction.

FERPA is a federal law that gives parents the right to access their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of PII from the education records.

However, FERPA does not require educational institutions to adopt specific security controls. Rather, it dictates the use of “reasonable methods” to safeguard student records. Despite the law, the agency acknowledges that hundreds of educational data breaches still occur every year, potentially violating FERPA, as well as possibly exposing students to identity theft, fraud, and extortion.

Parent Toolkit for Student Privacy

Fortunately, there are resources available for parents and guardians to help better protect their school-aged children from identity theft.