Congressional watchdog report counts breaches of Social Security numbers and health records at schools
How vulnerable is student data at U.S. public schools? That’s a critical question now that many, if not most, of the nation’s 51 million students are learning online at least some of the time.
Congressional watchdogs recently attempted to get a handle on the cyber security problem in schools. In a report publicly released in October 2020, the Government Accountability Office (GAO) counted 99 school data breaches over the past four years, from July 2016 to May 2020, that compromised the personal information of thousands of students in kindergarten through high school.
Attacks by cyber criminals were rare, the GAO found. More common were unintentional leaks in which private information, such as health records and telephone numbers, were accidentally made public. Students were responsible for more than a quarter of the breaches; their most frequent motive was changing grades.
The GAO relied on a private database of cyber attacks and leaks collected by Doug Levin of EdTech Strategies, a consulting firm. That’s because there’s no federal requirement for school districts to report data breaches. Most states have data breach notification laws but they vary a lot and there’s no obligation for state agencies to disclose them publicly. So the GAO turned to Levin’s K-12 Cybersecurity Resource Center, which has been collecting press clips about school data breaches from around the country and monitoring the states that do publicly report, such as Texas.
However, Levin’s own analysis of the data he shared with the GAO arrived at different totals. He counted 458 data breaches in school districts; 315 involved the unauthorized release of student data. That’s more than four times greater. Levin documented that more than a million student records have been affected, not thousands.
Why the discrepancy? The GAO counted each attack as one incident regardless of how many school districts were affected. Levin counted each district’s data breach separately, even if they were all hit by the same cyber attack. For example, a major breach at educational testing company Pearson in 2018 affected an unknown number of student records in thousands of schools. The GAO counted that as one incident. Levin identified 135 of the districts and counted it as 135 separate incidents.
Another news organization, Comparitech, claims even larger numbers.Earlier this year, the website estimated that 24.5 million student records had been compromised in 1,327 data breaches in U.S. schools, including colleges and universities, since 2005.
Levin believes both he and the GAO have undercounted the actual number of breaches because many incidents are never reported. Often schools are unaware. “We don’t know how significant the undercount is,” said Levin. “I’m willing to suggest that it could easily be 10 to 20 times larger than what is available in my dataset.”
“Certainly, it’s happening more frequently in our time of remote learning,” Levin added.
The real concern about cyber attacks in U.S. schools is whether students have been harmed.
Levin offered some anecdotal evidence of potential harm from his database. Dozens of students had their private health information posted online in Norfolk, Virginia. In this instance, school employees accidentally posted the information. Confidential health information of students in Chicago was kept on unsecured web documents that anyone could access. In a third case, a high school survey that asked students to identify bullies or their victims was inadvertently shared by staff. Students and teachers feared retribution. In all three of these examples, school employees rather than criminals caused the student data breaches.
Levin also described a few instances of criminals using schoolchildren’s social security numbers to open up credit accounts. Children may not learn about their identity theft until they become adults and apply for credit themselves.
But the data indicates that school employees were more likely to be the targets of cyber criminals than students. Levin’s records show that more than $17.5 million in education funds have been stolen from districts, some of which has been recovered by law enforcement. E-mail phishing scams, asking to confirm bank account numbers, prey upon back office staffers at schools whose jobs are to pay vendors. “The single biggest dollar theft I’ve seen was around a school construction project,” said Levin. That cost a Texas school district more than $600,000.
In a common tax season scam, criminals pretended to be the superintendent and emailed back office staffers a request for all the employees’ W-2 tax forms. Teachers discovered they’d been swindled after they filed their personal tax returns.
“The IRS responded by saying thank you very much for filing your second tax return,” Levin said. “We already sent your refund. Have a nice day.” He estimates that scammers targeted roughly three dozen districts with this kind of attack.
Many of the largest student data breaches have occurred not inside schools but inside the computer systems of private companies that sell to schools. That’s because education technology companies store a lot of personal student data, even Social Security numbers, on their servers in order to keep track of test scores and grades. In addition to the cyberattack at Pearson, there have been large breaches at Edmodo, K12.com and Schoolzilla, each affecting more than a million students’ records.
Ransomware incidents at schools are on the rise, according to Levin. In these attacks, malware encrypts in a school’s devices and computer files and prevents access, shutting down computer networks. The criminals charge an extortion fee to unlock the files. Sometimes it’s unclear if criminals are just scrambling the data or if they’re also seeing the data. More recently, criminal groups have been stealing data before they activate the ransomware. Then, they threaten to make the student data public to persuade the school to pay. In recent months, Las Vegas; Fairfax, Virginia, and Toledo, Ohio have been hit with ransomware schemes like this. Even when school districts avoid paying an extortion fee, “large amounts of very sensitive data have now been dumped online,” said Levin.
In one 2017 incident, hackers threatened to release student Social Security numbers, phone numbers and addresses unless a small school district in Columbia Falls, Montana paid them a ransom. The criminal group had even hacked the school’s security cameras and could watch their every move. “That’s what I would consider the nightmare scenario,” said Levin.
Hundreds of companies are peddling protection against viruses and malware to districts. And they’re hyping worries about malicious cyber attacks to fuel their business. But their services are expensive and they drain precious education dollars away from teaching. These solutions do little to address the cause of the most common or biggest breaches: through staff mistakes or outside vendors.
We still don’t know the extent of the leaks. The GAO report wasn’t a thorough survey of data breaches at schools but an analysis of press clippings. We can’t come up with good solutions until we get a better handle on the source of the problem.
For now, a good first step would be to update student data privacy laws, not only to keep student information hidden, but also to require the reporting of breaches so that we can prevent them. Our students deserve that.
This story about school data breaches was written by Jill Barshay and produced by The Hechinger Report, a nonprofit, independent news organization focused on inequality and innovation in education. Sign up for the Hechinger newsletter.