COMMENTARY

We often think of high-risk industries like finance or healthcare when considering the risks of data being targeted and exfiltrated. However, the education industry and its infrastructure — which require personal identifiable information (PII) — are often overlooked.

For many, this exchange of PII for goods and services (in this case, enrolling in school) may not seem worrisome. But for K-12 students, it’s a potentially early introduction to cybercrime and its damages.

With some schools already under cyber threat, the urgency of reevaluating data protection strategies becomes increasingly clear.

Identity Theft Before High School

In 2023, educational institutions saw increased data breach activity. For many adults, the reality of data breaches is well-known and often just a part of daily life — don’t click on suspicious links, enable credit monitoring, and be wary of scam calls. This is a faraway concept for younger students in K-12 schools, yet their data is some of the most vulnerable.

One vulnerability in an application used across the education sector can have a huge attack surface for these students. For example, schools use apps and online resources to support teaching materials. Still, educators can’t ensure these vendors are appropriately safeguarding the PII, such as names and emails. Examples like Los Angeles Unified School District and its experience with a chatbot named “Ed.” On the surface, Ed was meant to be a personal assistant to the district’s students and used their data. However, when the bot’s startup company, AllHere, went dark and the chatbot disappeared, questions remained regarding where precisely the student data went.

Schools across the United States are well into their school year, meaning parents have already provided shot records, medical history, and other sensitive information regarding their children. That information is stored across school servers, possibly even in third-party databases like AllHere’s chatbot.

These parents of K-12 students may be unknowingly giving threat actors the information they need to steal their child’s identity before they ever enter college.

Tucson Unified School District experienced its own run-in with cybercriminals and ransomware in 2023 when the ransomware group Royal extorted what they claimed to be all student personal information — including passports, Social Security numbers, birth certificate information, and more.

Research from Comparitech shows that data breaches have affected more than 37.6 million records across K-12 schools and higher education since 2005. Between 2018 and 2021, 61% of targeted institutions in the United States education sector were K-12 schools. While more records were affected in ransomware attacks targeting universities and colleges, this interest in our youth’s data highlights their vulnerability to cyberattacks.

Instances like the Tucson incident are not as rare as many educators and parents would hope. Our youth, lacking the same access or abilities to monitor their credit or make informed decisions after cyber events, are particularly vulnerable. The full effects of a successful ransomware attack like the one Tucson Unified School District experienced can be devastating for the incredibly vulnerable student demographic.

Misconceptions Regarding Data Thieves

We’ve reached record-breaking ransomware attacks in 2024, and our data across all industries is at risk. However, the inundation of data breaches and data theft paired with daily organizational demand for consumer data has created an interesting phenomenon: Consumers don’t trust their data will ever be secured.

Cybercriminals are opportunistic and self-serving, often looking for the easiest way to steal valuable information they can exfiltrate and extort for money. They are exploiting vulnerabilities and pushing out phishing campaigns to steal data for their own benefit, but this behavior doesn’t just affect adults.

While historically the education sector has not been a priority target for these groups, the outbreak of 2023 highlights a new reality. Threat actors are becoming more aggressive in their methods, and data protection across K-12 and higher education institutions must be prioritized moving forward.

Preventing Data Theft in the Education Sector

Higher and lower education organizations have reported increasing ransomware attack rates starting in 2021 according to the “2024 Sophos State of Education” report.

The same report also shows attacks across both lower and higher education institutions are becoming more dangerous:

  • Eighty-five percent of ransomware attacks in lower education institutions and 77% of higher education organizations in the last year ended in threat actors encrypting the school’s data.

  • Across lower and higher education organizations, the cost of recovery from these attacks doubled and quadrupled in 2024 compared with 2023.

  • Most worryingly, the education sector is the least likely to report data theft from cyberattacks, with lower education facilities tied with the healthcare industry at 22% reporting.

While creating an impenetrable defense is impossible, current strategies rely on creating barriers like firewalls, intrusion detection systems, and regular security audits that are proving inadequate against sophisticated threats. The education sector must reassess its data security.

The education sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment. By doing so, schools and universities can mitigate identity theft and ransomware risks, ensuring data security for students and faculty. Moving forward, it is crucial for the education sector to recognize its vulnerability and take proactive steps to strengthen its defenses, protecting the future of our children and educators.

Source: www.darkreading.com