There were 122 cyberattacks last year at 119 K-12 public education institutions, averaging out to an attack every three days, according to a new report on the misuse of technology in U.S. public schools.
“The State of K-12 Cybersecurity: 2018 Year in Review,” released by the K-12 Cybersecurity Resource Center, says cyber attacks have resulted in the theft of millions of taxpayer dollars, stolen identifies, tax fraud and altered school records.
For instance, in December, it was discovered that the personal data of more than 500,000 students and staff in the San Diego Unified School District were stolen over an 11-month period. The data included names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information and legal notices.
“Public schools are increasingly relying on technology for teaching, learning and school operations,” said report author Douglas Levin. “It should hardly be surprising, therefore, that they are experiencing the same types of data breaches and cybersecurity incidents that have plagued even the most advanced and well-resourced corporations and government agencies.”
Of the 122 cybersecurity incidents identified in 2018, all but seven affected traditional school districts and charter schools, according to EdSurge. The remaining incidents were at the Florida Virtual School and several state education agencies in North Dakota and Pennsylvania.
Levin, who is also the president of EdTech Strategies, a consulting firm, maintains an interactive map of publicly disclosed K-12 cybersecurity incidents. Since 2016, there have been 419 incidents (and counting), according to the map.
“It’s definitely an undercount,” Levin said during an interview last month. He estimated as many as 10 to 20 times more undisclosed breaches occurred in 2018 within the education sector.
Below is a breakdown from the report of the types of cyberattacks schools experienced in 2018.
Data breaches were the most frequently experienced type of cyber attack reported in 2018, primarily including:
- Unauthorized disclosures of data by current and former K-12 staff, primarily due to human error
- Unauthorized disclosures of K-12 data held by vendors/partners who have a relationship with the school district
- Unauthorized access to data by K-12 students, typically out of curiosity or a desire to modify personal records, such as grades and attendance
- Unauthorized access to data by unknown external parties, often with malicious purposes
A little over half of all digital data breaches were caused by members of the affected school community (staff, students) and 23% were caused by school vendors or partners. The remaining 23% were carried out by unknown actors.
Furthermore, student data was included in more than 60% of the 2018 data breaches.
The report also looked at the types of school districts involved in these cyberattacks, breaking them down by community type, enrollment size, poverty status and region. See the report’s chart below.
Levin was looking to understand whether certain characteristics made a district a bigger target. He concluded that overall, the cyberattacks were “non-discriminating.” However, districts with a higher population of students living in poverty were less likely to be attacked.
“One plausible hypothesis is that wealthier school communities may be relying on more technology than other district types and hence are exposed to greater risks,” he wrote in the report.
Ultimately, Levin’s says, the goal of K-12 stakeholders must be to reduce and better manage the cybersecurity risk facing increasingly technologically-dependent schools.
“It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign,” the report concludes. “All are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”