Data Breach Bullseye - Part 3

In this series, we are tracking the impact of last year’s record number of sensitive data breaches on three of the most vulnerable industries prone to cyberattacks: healthcare, financial services, and education. In prior posts, we explored why healthcare and financial services were the number one and two targets for cyberattacks, respectively.

In today’s post, we’ll examine the high cost — and risk — of sensitive data breaches in education in 2021.

Understanding the impact of data breaches in education

The education sector learned a lot about itself in 2021. We learned that virtual classrooms are totally feasible in a pinch but aren’t robust or immersive enough to replace in-person instruction any time soon. We also found out the hard way that as the world adopted more videoconferencing, email, and remote learning applications, the risk to the sensitive personal information they contained skyrocketed in lock-step.

According to the Identity Theft Resource Center 2021 Annual Data Breach Report, education ranked the fifth most vulnerable industry to cyberattacks targeting personal identification information (PII) in 2021. Last year U.S.-based educational institutions reported 125 data incidents that compromised more than 1.6 million of their constituents.

Education incurred a three-fold increase in the number of data breaches from 2020, while the number of individuals impacted by these incidents grew 64%. Almost two-thirds (61%) of 2021’s sensitive data breaches occurred within the K-12 grade level, while one-third occurred across the campuses of colleges and universities.

A majority (76%) of the sector’s data breaches included the theft or exposure of sensitive data. Of these incidents, 84% involved the exfiltration of Social Security numbers, impacting students, parents, alumni, and faculty members and costing institutions millions of dollars in damages.

Education ranked among the top targets for sensitive data breaches in 2021 including:

#2 for third-party/supply chain attacks
#3 for human and system insider errors
#5 for ransomware attacks

Education top attack vectors

A breached student record offers a comprehensive view into a student’s life, including personal demographic data, academic records, financial information, and medical data. The exposure of such personal identifiable information (PII) can lead to identity theft and fraud at the individual level and major loss of reputation, business, and penalties at the institutional level.

Analysis of the Identity Theft Resource Center’s (ITRC) notified Dashboard, a comprehensive database of publicly reported data breaches in the United States, showed that the vast majority of 2021’s data breaches were implemented by external actors (92%). A total of 128 cyberattacks were engineered that compromised the sensitive data of more than 418,600 students and faculty.

Chief among the cyberattack vectors used to breach the sensitive data of educational institutions were third-party/supply chain assaults, which accounted for half of all cyberattacks (52%), followed by ransomware, phishing emails, and malware.

Top Cyberattack Methods Leveraged in Education Sensitive Data Breaches in 2021

Attack Vector Individuals Impacted Total Incidents
Third party/supply chain 226,780 66
Ransomware 40,546 33
Phishing, smishing, business email correspondence 43,115 18
Malware 11,383 6

Source: Identity Theft Resource Center notified database January 1-December 31, 2021

A major impetus for these breaches can be attributed to the swift rise of cloud-based software in the digital classroom ecosystem as well as the rapid digital transformation in response to COVID-19 and the resulting overnight shift to online learning—all of which serve to further enrich the potential attack surface.

The lifecycle of an education sensitive data breach was 40% longer than a non-sensitive data breach in 2021. It also took 120% longer to detect and contain sensitive data incidents caused by internal actors versus external actors.

The cost of data breaches in education

Data breaches cost education institutions an average of $3.79 million per breach. The exposure of this data can severely impact the individual whose entire identity is made vulnerable at the behest of an attacker. Major breaches affect the entire institution—whether a public school district or private university. Institutions that fall victim to sensitive data exposure suffer financial losses from compliance failure fines, payouts to recover information from hackers, and lawsuits from individuals or families affected by the breach.

Top ten data breaches by the numbers

In 2021, education’s top ten sensitive data breaches impacted 367,016 individuals (or 67% of the industry’s total sensitive data victims). Colleges and universities accounted for four of the top ten incidents, while professional development training organizations were responsible for four of the year’s top sensitive data breaches. Nine of last year’s top ten breaches were cyberattacks engineered by external actors whose primary target was social security numbers in seven incidents.

Unlike other industries where ransomware was a predominant cyberattack vector, it only accounted for three of education’s top ten data breaches, but their impact was far-reaching. The largest sensitive data breach (contributing 14% of the sector’s sensitive data victims) occurred at a Missouri K-12 school district where ransomware breached the social security numbers and bank account information of 77,294 students and faculty members. Ransomware was also responsible for social security breaches in two other top incidents for a combined 137,042 individuals impacted by this growing attack vector. One instance occurred at a city college where 46,008 individuals were impacted, while another occurred at a Virginia-based EMO (Education Management Organization) where 13,740 individuals were affected.

Two other cyberattacks occurred via third-party/supply chain vulnerabilities at first aid training organizations, resulting in breached credit and debit card information for 49,193 individuals.

A proactive approach to data breach protection

The shift towards virtual classrooms that rely on cloud security and data movement across remote endpoints in a post-pandemic world means that cybersecurity threats to educational organizations and institutions are not going anywhere anytime soon.

Smart organizations are prioritizing a proactive approach towards protecting sensitive data before attacks occur by automating the discovery, classification, and remediation of private information wherever it lives within their IT environment.

Want to dig deeper?

Read more in our new Education Guide to Sensitive Data Breaches and visit www.spirion.com to learn about how to proactively protect your sensitive data and curb the cost of a data breach.

Download now