In an analysis released in April, the tech-focused research site Comparitech detailed that the education sector in the United States experienced a record high in data breaches during the year 2021. Schools and colleges have faced a cumulative total of 2,691 data breaches since 2005, which has resulted in the exposure of over 32 million records.
The year 2021 was notably significant, with 771 educational institutions affected, compromising nearly 2.6 million records. A major contributor to this figure was the data breach involving Illuminate Education, impacting at least 605 entities. Following this, the year 2022 recorded 96 breaches, revealing close to 1.4 million records. The current year, 2023, has so far seen 11 breaches affecting over 3,500 records. These breaches are almost equally distributed between K-12 schools and higher education institutions, with 51% of incidents occurring in K-12 settings.
Hacking and ransomware have been identified as primary methods of attack, with breaches linked to third-party vendors also on the rise. Notable breaches include those at significant ed tech companies such as Blackbaud and Illuminate Education.
Comparitech, through the work of its editor and privacy expert Paul Bischoff, points out that states have different standards for reporting data breaches. Some states have more stringent reporting requirements than others, potentially leading to discrepancies in reported data. Bischoff also notes that prior to 2018, not every state had enacted data breach disclosure laws, meaning some breaches may not have been reported.
The research compiled by Comparitech involved aggregating information from various industry resources, state notification tools, and media reports. The recent National Cybersecurity Strategy introduced by the White House emphasizes greater responsibility on tech companies to address ransomware attacks and suggests shifting the burden from local governments and consumers with fewer resources.
The discussion around accountability for data breaches, especially involving third-party vendors like Illuminate, remains complex. Bischoff argues for a balance in holding companies responsible without discouraging them from reporting breaches to avoid penalties.
The case of the Illuminate data breach, which reached into large school districts such as New York City Public Schools and Los Angeles Unified School District, illustrates this point. Post-breach, Illuminate was acquired by Renaissance, another ed tech company. While Illuminate had pledged to encrypt student data for New York City schools, the city’s Department of Education indicated these measures were not in place when the cyberattack occurred, leading to the compromise of approximately 820,000 student records. Consequently, the school system ceased using Illuminate’s products.
Bischoff asserts the importance of shared accountability and transparency in handling cyberattacks and data breaches, suggesting that both the companies and educational institutions bear responsibility for protecting and overseeing data security, while also recognizing them as victims of cybercrime.