New report reveals 12.4 million student and consumer profiles were compromised in 324 breaches at colleges, K-12 schools

School safety is taking on a whole new meaning: Nearly one-third of all U.S. data breaches occurred in K-12, colleges, and universities, a new study found.

And given that schools make up only about 0.6 percent of U.S. businesses and other organizations, that's a relatively disproportionate amount of breaches, says Joseph Campana, principal of J. Campana & Associates, which conducted the study (PDF).

Data from more than 12.4 million students, parents, faculty, and other consumers was exposed in 324 breaches, according to the report, which draws data from the Privacy Rights Clearinghouse. "Most of these breaches involved social security numbers or account numbers," Campana says. "If it was students and employees, it typically involved social security numbers. If it was parents, volunteers, or donors, it could be social security numbers or [credit card] account numbers."

More than one-third of the breaches were the result of lost, stolen, or missing computers, storage devices, magnetic tape, microfiche, and paper documents. Stolen or missing laptops made up 15 percent of these incidents. Hacking was the culprit in 24 percent of the cases, including both external and insider threats.

Not surprisingly, colleges and university were the bulk of the problem, with 79 percent of the breach incidents in the education sector. Earlier this week, the University of Florida became the latest victim, revealing that an intruder had broken into its College of Dentistry computers, potentially compromising the personal information of some 330,000 current and former patients.

K-12 schools suffered 15 percent of these breaches, but had the most (30 percent) breaches where the actual number of user profiles exposed was unknown, while colleges and universities had only 6 percent of such instances.

"This is a red flag that [K-12 schools] don't take inventory of the information they do have," Campana says. "That there were so many 'unknowns' surprised me."

Schools must make privacy a priority like they do with cracking down on gang activity, he adds. "If they are dealing with gangs or other discipline problems, it gets propagated through the schools. It's a matter of making privacy a priority."

That means training school risk managers to include privacy in their assessments, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights