Drawing upon the incredible work of Doug Levin and his K-12 Cybersecurity Resource Center, Jill Barshay of The Hechinger Report highlights some of Doug’s findings — findings the GAO relied heavily upon in their recent report.
How you tabulate breaches can make a huge difference in the public’s — and Congress’s — understanding of the scope of a problem. As a recent example, consider the Blackbaud ransomware incident that this site has been monitoring for patient impact. Do you count that as ONE incident, or do you count it as tens of thousands of incidents because Blackbaud had tens of thousands of clients? One incident with more than 11 million patients impacted so far — or 105 incidents with more than 11 million impacted so far that we know of?
Impressions matter.
Barshay reports:
Why the discrepancy? The GAO counted each attack as one incident regardless of how many school districts were affected. Levin counted each district’s data breach separately, even if they were all hit by the same cyber attack. For example, a major breach at educational testing company Pearson in 2018 affected an unknown number of student records in thousands of schools. The GAO counted that as one incident. Levin identified 135 of the districts and counted it as 135 separate incidents.
Another news organization, Comparitech, claims even larger numbers. Earlier this year, the website estimated that 24.5 million student records had been compromised in 1,327 data breaches in U.S. schools, including colleges and universities, since 2005.
As you read, keep in mind that:
- FERPA does not require covered entities to notify students or parents of data security breaches or privacy breaches. Hence, there is no central repository of reports and we really have no idea how many breaches occur every year and how many students, employees, or parents may be impacted. Indeed, a lot of things that we would probably consider personal or private information is freely available from school districts who may declare it “directory information.”
- The FTC does not have authority to investigate k-12 school districts or non-profits for data security breaches. What it DOES have authority to do — but doesn’t seem to use — is to investigate breaches at the secondary level if they involve student financial aid. GLBA gives them that authority, but so far, they do not seem eager to use it.
So apart from all the human error breaches, why shouldn’t criminals go after the education sector? It’s “low-hanging fruit,” has generally poorer security than other sectors, and the breaches may never get disclosed (think about how neither Guilford Technical Community College nor Toledo Public Schools ever disclosed the extent of the cyberattacks they experienced until DataBreaches.net published evidence of all of the personal information that had been exfiltrated by threat actors and dumped publicly already).
Read more on The Hechinger Report, and if you’re not already following Doug and his K-12 CyberResource Map on Twitter, add both.