Multiple data breaches of school systems put thousands of students at risk, GAO finds

As schools and school districts increasingly rely on complex information technology systems for teaching and operations, they are collecting more student data electronically. A recent government report says thousands of students’ personal information has been compromised in nearly 100 data breaches.

According to Government Accountability Office’s analysis released Thursday of Cybersecurity Resource Center data on students from kindergarten through high school from July 2016 to May 2020, 58 of the 99 data breaches were targeted at students’ academic records, including assessment scores and special education records.

Another 36 breaches involved students’ personally identifiable information, such as Social Security numbers. Financial and cybersecurity experts consulted by GAO officials said some personally identifiable information – or PII — can be sold on the black market, causing the students significant financial harm.

Breaches were either accidental or intentional, with school staff responsible for 21 out of the 25 accidental breaches, and students responsible for 27 of the 52 intentional breaches, most frequently to change grades.

Though reports of breaches by cybercriminals or by vendor errors were rare, those breaches affected large numbers of students, sometimes across multiple school districts. Cybercriminals were responsible for six of the 99 reported breaches, all of which were intentional. For example, a cybercriminal accessed 14,000 current and former students’ information in one school district.

Jacqueline Nowicki, director of GAO’s Education, Workforce and Income Security team and the author of the report, said that the personal information of K-12 students made them attractive targets for cybercriminals because they don’t have credit histories.

“Sometimes the cybercriminals coerced school districts to pay ransom in exchange of not making the students’ information public,” she added.

Disclosing a student’s personal information can also lead to physical and emotional harm. For example, for students with an Individualized Education Program, disclosure of special education status, annual goals or medical diagnoses contained in these records could lead to embarrassment or stigmatization.

According to Alan Butler, interim executive director of Electronic Privacy Information Center, a non-profit that advocates for privacy rights, said that school districts need to take greater precautions when collecting personal data of students, as schools like many other industries are subject to a significant risk of data breach. “If you can’t protect it, don’t collect it,” he said.

Educational technology vendors were responsible for two reported breaches, both accidental. In one instance, five of the 15 breaches that involved vendor systems affected more than one district, with one potentially compromising students’ PII in at least 135 school districts.

In about two dozen breaches the intent was unknown, as was the hacker in almost 29 of them.

As almost all schools transitioned to online learning because of the coronavirus pandemic, additional cybersecurity challenges emerged in April and May. Cybersecurity Resource Center reported at least one incident in May involving distance learning technology that may have resulted in student data being compromised. In the incident, a teacher shared an image with her students that inadvertently also displayed her login and password for a data management tool, and a student used it to gain unauthorized access to the system.

Of the 287 school districts affected by reported student data breaches, larger, wealthier and suburban school districts were disproportionately represented, according to GAO’s analysis. Cybersecurity experts interviewed by the GAO said some of these districts may use more technology in schools, which could create more opportunities for breaches to occur.
The GAO analysis was requested by the House Education and Labor Committee to determine whether schools are keeping students’ personal information secure.