More than 24.5 million records belonging to K–12 school
districts and colleges in the United States have been hit by around 1,300 data
breaches since 2005, according to a new report from Comparitech.
Not all data breaches are intentional, or the work of
attackers. In fact, data breaches often stem form carelessness, with people
compromising the security of private data in the most ludicrous ways, ranging
from simply adding the wrong name in an email chain to leaving large databases
unattended in the wild. However, it turns out that hacking really is prevalent
and accounts for more incidents than any other factor.
A new report from Comparitech looked at what states and types
of schools were affected, and the results are somewhat surprising. Looking back
15 years, the researchers found that California was the state most affected,
but Arizona follows closely when comparing the number of affected records.
Things have changed considerably in the past 15 years,
and the US Department of Education has strengthened its requirements for data
breaches in colleges and universities. The fact that any violation has to be
reported has drastically increased the number of reports, but it also makes it
clear that breaches might have been underreported for many years.
“The biggest year for breaches overall was 2008,” states
“In 2008, there were 135 breaches in total, accounting for 10.2 percent of all
the breaches. It was also the biggest year for college data breaches, with 101
(10.2 percent) occurring then.”
“However, it wasn’t the biggest year for K–12 school data
breaches. 2019 saw the biggest year for school data breaches with 60 in total.”
The study didn’t identify any patterns in the breaches,
but some odd numbers do pop up, and the reason is not clear. For example,
Wyoming is the only state to have had no known or reported K–12 or college data
breaches over the last 14 years, which raises suspicions.
Out of all the breaches, 77.7% occurred in a public
school or college, which means that private institutions seem to be less
affected. The biggest incident occurred in 2013 at the Maricopa County
Community College District, with 2.49 million records affected.
Finally, the breaches themselves have various vectors;
43.8% were the result of hacking, 25.7% were unintentional disclosures by the
institutions, thefts consisted of 13.8%, and data accessed by unauthorized
personal consisted of only 5.8% of the incidents.