Educational institutions in the United States have been facing a growing threat of data breaches over the past decade, with a total of 3713 breaches impacting over 37.6 million records since 2005. This concerning trend has raised alarm bells within the education sector and prompted calls for enhanced cybersecurity measures to protect sensitive information.
The year 2023 marked a record high in data breaches, with 954 incidents reported – a significant increase from the 139 breaches recorded in 2022 and the 783 breaches in 2021. This spike in breaches was largely attributed to vulnerabilities in MOVEit file transfer software, which impacted over 800 institutions across the country. The number of records compromised in 2023 also saw a drastic increase, reaching nearly 4.3 million compared to 2.6 million in both 2021 and 2022. Of these compromised records, 1.7 million were the result of third-party breaches, while 1.9 million were affected by 65 ransomware attacks.
An in-depth analysis conducted by Comparitech identified colleges and universities as the primary targets of data breaches, accounting for 60% of reported incidents. The MOVEit software vulnerability played a significant role in these breaches, with 83% of affected records originating from post-secondary institutions. Cyber-attacks, ransomware, and third-party breaches have emerged as the leading causes of data breaches in the education sector, with incidents involving companies like Blackbaud, Illuminate Education, and MOVEit making headlines in recent years.
The implementation of new regulations by the US Department of Education in 2018 mandated that Title IV institutions report any data breach, regardless of the number of records affected, to ensure transparency and accountability. Some of the largest breaches in 2023 included the University System of Georgia, which reported that 800,000 individuals were impacted by the MOVEit exploit.
In terms of geographical impact, New York reported the highest number of breaches in 2023 (800), followed by California with 401 incidents. California also led in the number of records affected, with over 3.3 million compromised, closely followed by Arizona with nearly 2.9 million records. Texas reported the highest number of K-12 student records breached, with over 1.7 million records compromised.
Ransomware attacks have been particularly prevalent in K-12 schools, with 149 out of 246 tracked incidents since 2018 affecting this sector. However, post-secondary institutions have seen a larger volume of records impacted by ransomware attacks, with 3.74 million records breached compared to 1.53 million in K-12 schools. North Dakota reported the highest rate of student records impacted per capita.
The top ten biggest breaches in recent years have involved notable institutions like the Maricopa County Community College District and the Harvard Computer Society, with millions of records compromised in each incident. The first quarter of 2024 saw a decrease in data breaches, with only 16 incidents reported between January and March affecting 58,400 records, indicating a potential positive trend. However, the long-term outlook for data security in educational institutions remains uncertain as cyber-attacks continue to evolve and pose a growing threat to sensitive information.