gustavofrazao, Getty Images/iStockphoto

A report from Comparitech has looked into cyberattacks on educational institutions in the United States, finding that there have been more than 1,300 breaches since 2005 and more than 24 million records lost.

Comparitech data researcher Sam Cook dug deeper into the data and discovered that every state besides Wyoming has reported at least one breach since 2005, with California and Arizona suffered from the most amount of records lost.

While the numbers show that 2008 had the most education data breaches, these numbers are a bit skewed because the majority of states have only implemented breach notification laws in the last few years. It was only in 2018 that the federal Department of Education mandated that all Title IV institutions have to report all breaches regardless of size.

The years with the most number of records lost were 2013 and 2017. The study data shows that public schools and universities often suffered from more breaches than private ones.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

“If we take a look at the number of breaches by US state, we can see that California had the most by far, accounting for 157 of the 1,328 breaches (11.8 percent),” the report found. “The list of worst-hit states also includes New York with 89, Texas with 79, Illinois and Ohio each with 60, and Florida with 58,” the study’s researchers state, adding that these numbers were not surprising because California, Texas, New York, Illinois, and Ohio are the biggest states in the country and have huge numbers of schools and students.

California remains a hotspot, according to the report, “yet Arizona becomes one of the worst-hit states with only slightly fewer people affected in its breaches than California (2.83 million compared to 2.88 million). West Virginia and Georgia also display high numbers of records affected in contrast to the number of breaches with 1.3 million and 1.6 million records impacted, respectively. Other states with high numbers of records exposed or stolen in breaches include Ohio (1.4 million), Massachusetts (1.7 million), and Florida (1.6 million).”

The report finds vast differences between the states with a high number of attacks on K-12 schools and those with more breaches at colleges or universities.

Texas, California, Illinois, New York and Florida had the highest number of breaches at K-12 schools from 2005 to 2020 but some states, like Nevada, still had large numbers of records lost despite low amounts of breaches.

The study notes that Nevada’s high number of records lost can be attributed in no small part to two specific breaches that took place in Washoe County and Clark County. The two counties lost 114,000 and 559,487 records, respectively, in their school districts as part of the Pearson Education data breach, which affected dozens of schools across the country.

According to the study and news reports, the hack involved a breached student assessment tool created by Pearson’s AIMSweb and exposed the information of thousands of students. The tool was breached, leaving some personally identifiable student information exposed at more than 13,000 schools.

In an email interview, Cook said states like California, Texas, and Florida had high numbers because of their huge populations, number of colleges, and size of K-12 school districts, making them attractive targets.

“New York is an interesting case, though,” Cook said. “Although its college and K-12 size is among the top, and it’s experienced a large number of data breaches as a result, it’s collectively lost very few for the number of data breaches it’s had. We haven’t spoken to any CIOs anywhere, but I would chance a guess that New York’s more centralized college system, in particular, is the reason why they’ve seen fewer losses as a result.”

“They likely implement the same mitigation standards across all of their higher ed institutions, whereas most other states’ college and universities aren’t as centrally controlled,” Cook added. “Here and there, a few data breaches across the US are an issue of poor IT infrastructure or unintentional disclosures due to some severe oversights that leave data exposed.”

California leads in breaches and records lost

When it comes to attacks on colleges, the study found that California’s numbers were far and away higher than any other state, doubling and sometimes tripling the amount of breaches and records lost.

According to Cook’s research, California accounted for 12.2% of the 985 college data breaches and 10.6% of the 21.5 million records impacted. New York came in second with more than 60 breaches and almost half a million records lost. Six states had more than one million records lost through breaches: Florida, Arizona, Massachusetts, Georgia, Ohio, and Washington.

Cook honed in specifically on Arizona, which had a large number of records lost in comparison to the paltry number of breaches.

“This arises from a large breach which affected almost 2.5 million records from Maricopa Community Colleges. The college system came under fire due to the length of time it took to notify those involved (seven months). The cleanup reportedly cost $26 million,” Cook wrote.

The study also has valuable data on the percentage of schools in each state that suffered breaches, finding that while California had outsized numbers, relatively smaller states had higher percentages of schools hit between 2005 and 2020.

Cook also breaks the numbers down by records lost per breach, finding that public K-12 schools lost 8,847 records per breach while public colleges or universities lost 25,312 records per breach. Private K-12 schools had 3,657 records affected per breach and private colleges or universities lost 14,046 records per breach.

Almost half of all incidents involved hacking but a sizable amount of breaches happened because of unintentional disclosures by the institutions or theft or loss of portable devices. The biggest breaches since 2005 were the 2013 Maricopa County Community College District Data Breach, which resulted in 2.49 million records lost and the 2017 Harvard Computer Society breach involving 1.4 million lost records.

Colin Bastable, CEO of security awareness training company Lucy Security, said schools are particularly vulnerable because most people working for educational institutions don’t expect to be victims.

He added that schools need to make greater investments in security and teach their staff how to stay cybersafe at work and at home.

“Hackers are very smart, and very highly motivated, whereas staff are focused on school life and their public service. It is an uneven battle. The public sector is generally less well-equipped to defend against cybercrime,” Bastable said.

“In my tests and demonstrations with customers and prospects, 30% of phishing emails get straight through state and local firewalls, compared to 10% of simulated attacks on the private sector. A lot of state and local money is now spent on teacher pensions, depriving school districts of the financial wherewithal to invest in cyberdefense, forcing security teams to make hard spending decisions. Ninety-seven percent of losses are initiated by social engineering, over 90% by email, and up to 30% of untrained school staff have a very high propensity to unwittingly open the door to hackers.”