Knowledge and Insights

K-12 Schools Experienced a Significant Rise in Cyber Breaches in 2018

Data & Statistics reported/outlined by The K-12 Cybersecurity Resource Center

2018 revealed that school districts are not immune to the same types of data breaches and cybersecurity incidents plaguing the most technologically advanced and well-resourced corporations and government agencies. During 2018, the misuse and abuse of school technology and IT systems resulted in 122 publicly-disclosed K-12 cybersecurity incidents (across 38 states, including NJ). This equates to a rate of about one new publicly-reported incident every three days. The actual circumstances are far worse, given many institutions do not report incidents.

Alarming Facts:

  • Over half of all breaches experienced by K-12 schools in 2018 were directly carried out or caused by members of the affected school community (i.e., insiders), whether by staff or students.
  • Another 23 percent of breaches were the result of a loss of control of K-12 data by school vendors or partners – regional service agencies, non-profits, associations and even state departments of education.
  • The remaining 23 percent of data breach incidents were carried out by unknown actors, often external to the school community and for malicious purposes (such as identity theft).
  • Student data was included in more than 60 percent of K-12 data breaches in 2018.
  • 46 percent of all K-12 digital data breaches included data about current and former school staff (such as payroll or other personnel records). In some cases, this has led to payroll theft, identity theft and the filing of false tax returns of educators and other school district staff.
  • Phishing attacks—the majority of which carried out over email—were also commonly experienced by school districts. These attacks were the method of choice that malicious third-parties employed to gain access to sensitive data systems or to deliver and propagate malware on school networks.
  • Perhaps most concerning in 2018 were the number of successful phishing attacks targeted at school district business officials. These scams — designed to redirect large payments from legitimate school contractors/partners to criminal accounts — resulted in the theft of millions of taxpayer dollars. The largest theft recorded occurred in 2018 and totaled approximately $2 million dollars in losses by a Texas district.
  • Responding to ransomware and other malware outbreaks was another common challenge. The impact of such incidents involved significant costs and lost time in restoring IT systems, lost data, communication services, and student/teacher devices. In some cases, IT outages caused by malware extended for weeks. In the most extreme cases, school districts were not able to restore their systems from backups and instead made the controversial choice to pay the extortion demands of criminals to regain access to their systems (as districts in Massachusetts and Michigan did in 2018).
  • School-managed social media and website defacement is a class of cyber incidents particularly troubling; these attack official communication channels to deliver unauthorized messages or to automatically redirect users from trusted school-managed sites to third-party sites.

As we look to 2019 and beyond, schools will continue to rely on technology, increasing their cyber risk profile, commonly referred to as the attack-surface. As schools broaden their data collection and sharing efforts to include even more sensitive data, including personal communications, biometric data, social/emotional and affective data, the impact of any potential cyber incident is magnified.

For more information on how to protect your school and/or district, contact Chris Mangano, Vice President of Sales & Marketing, Mercadien Technologies at 609-689-2339 or cmangano@mercadien.com.