- Since 2005, schools and colleges in the U.S. have incurred 2,691 data breaches, leading to leaks of at least 32 million individual records, according to an April report by Comparitech, a website that reviews and analyzes products improving cybersecurity and online privacy.
- To date, 2021 has marked the biggest year for data breaches in education, impacting 771 institutions and nearly 2.6 million records, Comparitech said. The Illuminate Education data breach affecting at least 605 institutions made up a significant portion of the share.
- The next year, 2022, brought 96 breaches that exposed almost 1.4 million records, and so far 2023 has seen 11 breaches with over 3,500 impacted records. The breaches since 2005 were almost evenly split between the two education sectors, with 51% happening in K-12 schools, Comparitech found.
Hacking and ransomware attacks are increasingly the source of data breaches. Likewise, third-party breaches have also seen an uptick, particularly following large-scale attacks on major ed tech companies like Blackbaud and Illuminate, according to the report.
States have varying laws when disclosing data breaches, said Paul Bischoff, editor of Comparitech.com and a consumer privacy expert. Some states have lower thresholds for reporting breaches than others, he said.
“That can result in some discrepancy,” Bischoff said. “Also, before 2018, not every state in the country had a data breach disclosure law.”
That means if a state had a data breach before 2018, they may not have had to report it at all, he said.
To collect this information on data breaches, Comparitech aggregated industry resources, state data breach notification tools and news sources.
The White House last month released a National Cybersecurity Strategy calling for increased accountability by tech companies for combating ransomware attacks — and shifting the burden away from local governments and under-resourced consumers.
Whether third-party vendors like Illuminate should be held more accountable for these breaches is a tricky subject, Bischoff said.
“Companies need to take steps to protect their data, but you also don’t want to blame victims, because ultimately Illuminate is a victim of a cyberattack,” he said. “You don’t want to penalize companies too much for data breaches, because then they won’t report them at all to get out of the consequences.”
The Illuminate data breach reached the nation’s two largest school systems — New York City Public Schools and Los Angeles Unified School District. Months after the public disclosure of the incident, ed tech company Renaissance acquired Illuminate.
In its contract with New York City schools, Illuminate promised to encrypt student information in a data privacy and security agreement, according to the school system. But the New York City Department of Education said that those protections were not in place during the cyberattack that led to the leaking of about 820,000 New York City student records. Ultimately, the school system stopped using Illuminate products following the incident.
Accountability and transparency over cyberattacks and data breaches are important, Bischoff said. In the Illuminate breach, for instance, both the company and schools should take responsibility, he said.
“The blame has to be shared on all sides. Illuminate didn’t do a good enough job protecting its data, and schools maybe didn’t do enough to vet and hold Illuminate to its standards,” Bischoff said. “But … all these people are victims of cyber criminals.”