Report: K-12 Schools Experienced 122 Cyber Attacks in 2018

A new report from the K-12 Cybersecurity Resource Center says a U.S. school district falls victim to a cyber attack as often as every three days.

Report: K-12 Schools Experienced 122 Cyber Attacks in 2018

The report also found 46.7 percent of 2018 cyber attacks in K-12 schools were data breaches.

There were 122 cyber attacks last year at 119 K-12 public education institutions, averaging out to an attack every three days, according to a new report on the misuse of technology in U.S. public schools.

The State of K-12 Cybersecurity: 2018 Year in Review,” released by the K-12 Cybersecurity Resource Center, says cyber attacks have resulted in the theft of millions of taxpayer dollars, stolen identifies, tax fraud and altered school records.

For instance, in December, it was discovered that the personal data of more than 500,000 students and staff in the San Diego Unified School District were stolen over an 11-month period. The data included names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information and legal notices.

“Public schools are increasingly relying on technology for teaching, learning and school operations,” said report author Douglas Levin. “It should hardly be surprising, therefore, that they are experiencing the same types of data breaches and cybersecurity incidents that have plagued even the most advanced and well-resourced corporations and government agencies.”

Of the 122 cybersecurity incidents identified in 2018, all but seven affected traditional school districts and charter schools, according to EdSurge. The remaining incidents were at the Florida Virtual School and several state education agencies in North Dakota and Pennsylvania.

Levin, who is also the president of EdTech Strategies, a consulting firm, maintains an interactive map of publicly disclosed K-12 cybersecurity incidents. Since 2016, there have been 419 incidents (and counting), according to the map.

“It’s definitely an undercount,” Levin said during an interview last month. He estimated as many as 10 to 20 times more undisclosed breaches occurred in 2018 within the education sector.

Below is a breakdown from the report of the types of cyber attacks schools experienced in 2018.

Data breaches were the most frequently experienced type of cyber attack reported in 2018, primarily including:

  • Unauthorized disclosures of data by current and former K-12 staff, primarily due to human error
  • Unauthorized disclosures of K-12 data held by vendors/partners who have a relationship with the school district
  • Unauthorized access to data by K-12 students, typically out of curiosity or a desire to modify personal records, such as grades and attendance
  • Unauthorized access to data by unknown external parties, often with malicious purposes

A little over half of all digital data breaches were caused by members of the affected school community (staff, students) and 23 percent were caused by school vendors or partners. The remaining 23 percent were carried out by unknown actors.

Furthermore, student data was included in more than 60 percent of the 2018 data breaches.

The report also looked at the types of school districts involved in these cyber attacks, breaking them down by community type, enrollment size, poverty status and region. See the report’s chart below.

Levin was looking to understand whether certain characteristics made a district a bigger target. He concluded that overall, the cyber attacks were “non-discriminating.” However, districts with a higher population of students living in poverty were less likely to be attacked.

“One plausible hypothesis is that wealthier school communities may be relying on more technology than other district types and hence are exposed to greater risks,” he wrote in the report.

Ultimately, Levin’s says, the goal of K-12 stakeholders must be to reduce and better manage the cybersecurity risk facing increasingly technologically-dependent schools.

“It won’t be solved solely by an infusion of money, new technologies, new policies and regulations, or a cybersecurity awareness campaign,” the report concludes. “All are likely necessary, but how they are implemented and evolve over time to meet the specific and idiosyncratic needs and constraints facing public K-12 schools will matter most of all.”

About the Author

Contact:

Amy Rock is Campus Safety's senior editor. She graduated from UMass Amherst with a Bachelor’s Degree in Communications and a minor in Education.

She has worked in the publishing industry since 2011, in both events and digital marketing.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


One response to “Report: K-12 Schools Experienced 122 Cyber Attacks in 2018”

  1. […] in attacks on the education sector in the United States and around the world. In fact, there are three main threats impacting schools — data breaches, phishing, and ransomware. Let’s take a look at each of these […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ