More than 24.5 million records belonging to K–12 school districts and colleges in the United States have been hit by around 1,300 data breaches since 2005, according to a new report from Comparitech.
Not all data breaches are intentional, or the work of attackers. In fact, data breaches often stem form carelessness, with people compromising the security of private data in the most ludicrous ways, ranging from simply adding the wrong name in an email chain to leaving large databases unattended in the wild. However, it turns out that hacking really is prevalent and accounts for more incidents than any other factor.
A new report from Comparitech looked at what states and types of schools were affected, and the results are somewhat surprising. Looking back 15 years, the researchers found that California was the state most affected, but Arizona follows closely when comparing the number of affected records.
Things have changed considerably in the past 15 years, and the US Department of Education has strengthened its requirements for data breaches in colleges and universities. The fact that any violation has to be reported has drastically increased the number of reports, but it also makes it clear that breaches might have been underreported for many years.
“The biggest year for breaches overall was 2008,” states the report. “In 2008, there were 135 breaches in total, accounting for 10.2 percent of all the breaches. It was also the biggest year for college data breaches, with 101 (10.2 percent) occurring then.”
“However, it wasn’t the biggest year for K–12 school data breaches. 2019 saw the biggest year for school data breaches with 60 in total.”
The study didn’t identify any patterns in the breaches, but some odd numbers do pop up, and the reason is not clear. For example, Wyoming is the only state to have had no known or reported K–12 or college data breaches over the last 14 years, which raises suspicions.
Out of all the breaches, 77.7% occurred in a public school or college, which means that private institutions seem to be less affected. The biggest incident occurred in 2013 at the Maricopa County Community College District, with 2.49 million records affected.
Finally, the breaches themselves have various vectors; 43.8% were the result of hacking, 25.7% were unintentional disclosures by the institutions, thefts consisted of 13.8%, and data accessed by unauthorized personal consisted of only 5.8% of the incidents.