And given that schools make up only about 0.6 percent of U.S. businesses and other organizations, that's a relatively disproportionate amount of breaches, says Joseph Campana, principal of J. Campana & Associates, which conducted the study (PDF).
Data from more than 12.4 million students, parents, faculty, and other consumers was exposed in 324 breaches, according to the report, which draws data from the Privacy Rights Clearinghouse. "Most of these breaches involved social security numbers or account numbers," Campana says. "If it was students and employees, it typically involved social security numbers. If it was parents, volunteers, or donors, it could be social security numbers or [credit card] account numbers."
More than one-third of the breaches were the result of lost, stolen, or missing computers, storage devices, magnetic tape, microfiche, and paper documents. Stolen or missing laptops made up 15 percent of these incidents. Hacking was the culprit in 24 percent of the cases, including both external and insider threats.
Not surprisingly, colleges and university were the bulk of the problem, with 79 percent of the breach incidents in the education sector. Earlier this week, the University of Florida became the latest victim, revealing that an intruder had broken into its College of Dentistry computers, potentially compromising the personal information of some 330,000 current and former patients.
K-12 schools suffered 15 percent of these breaches, but had the most (30 percent) breaches where the actual number of user profiles exposed was unknown, while colleges and universities had only 6 percent of such instances.
"This is a red flag that [K-12 schools] don't take inventory of the information they do have," Campana says. "That there were so many 'unknowns' surprised me."
Schools must make privacy a priority like they do with cracking down on gang activity, he adds. "If they are dealing with gangs or other discipline problems, it gets propagated through the schools. It's a matter of making privacy a priority."
That means training school risk managers to include privacy in their assessments, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message