Dive Brief:
- It took the education sector 4.8 months on average to report data breaches following ransomware attacks between 2018 and 2025, according to a report released Thursday by Comparitech.
- Schools and colleges had the highest average reporting time for ransomware data breaches when compared to the business, government and healthcare sectors, Comparitech found in its analysis of over 2,600 U.S. ransomware attacks.
- At the same time, education companies — which were counted separately from schools, colleges and universities — saw even higher reporting times at 6.3 months. Waiting months to disclose a data breach is dangerous, given that stolen data can be on the dark web before victims even know a breach happened, wrote the researchers for Comparitech, a cybersecurity and online privacy product review website.
Dive Insight:
Delayed reporting of data breaches comes at a time when schools and ed tech companies alike are grappling with the ongoing threat of ransomware attacks.
Some 82% of K-12 schools reported experiencing a cyber incident between July 2023 and December 2024, according to the nonprofit Center for Internet Security. The top threats schools faced include ransomware attacks, phishing, social engineering and data breaches.
Illustrating the prolonged response times for ransomware breaches, the latest Comparitech report pointed to Texas’ Alvin Independent School District confirming just this month that a June 2024 data breach impacted nearly 48,000 people. The data involved names, Social Security numbers, credit and debit card numbers, financial account information, medical and health insurance information, and state-issued IDs.
Organizations often wait to disclose a data breach because they are unsure if data was stolen following a ransomware attack until the hacker posts the stolen information on the dark web, Comparitech said.
“Data theft is a common component of ransomware attacks, so it’s not unreasonable for companies to assume hackers stole data, even if there isn’t any evidence to suggest data theft at first,” researchers wrote. “The worst thing to do is to jump to the conclusion that data hasn’t been stolen.”
More recently, school districts have been deeply concerned about a widespread breach of student and staff data across North America following a December 2024 ransomware attack on ed tech provider PowerSchool.
Though PowerSchool disclosed the cybersecurity incident about a week later, the company allegedly told districts not to worry about sensitive student and staff information being exposed. Five months later, however, PowerSchool publicly confirmed that, despite paying a ransom to threat actors, multiple school districts were being extorted with the same information stolen in the December incident.
Since then, over 100 school districts — including Tennessee’s largest school system, Memphis-Shelby County Schools — have sued PowerSchool for negligence, breach of contract and false advertising.
The FBI advises against paying threat actors following a ransomware attack. If organizations pay a ransom, it still doesn’t guarantee any data will be recovered, the agency’s website states, adding that ransom payments can actually encourage more attacks.
