US schools leaked 32 million records in 2,691 data breaches since 2005

Since 2005, K–12 school districts and colleges/universities across the US have experienced 2,691 data breaches, affecting nearly 32 million records.

Our team of researchers analyzed data over the past 18 years to find out where the hot spots are, the biggest causes of these breaches, and how many students have been affected by each breach.

In this update, we’ve found that attacks on third parties can have a catastrophic effect on educational institutions and their data. This was particularly the case in December 2021 with the widespread impact of the Illuminate Education breach that affected over 600 individual educational institutions. Even without the Illuminate breach, 2021 was still a big year for education data breaches. 2022 appeared to see a dip in breaches at the start, but toward the end it started to increase again.

Key findings:

2,691 data breaches in educational institutions since 2005
At least 31,988,437 individual records were affected as a result of these breaches
51 percent of breaches occurred in K-12 institutions (but this is due to the significant impact of the Illuminate breach)
83 percent of records affected were from post-secondary institutions
Hackings and ransomware attacks have become a dominant source of these breaches in recent years, with third-party breaches also growing (namely due to large-scale attacks like Blackbaud and Illuminate)
Illuminate Education’s breach affected at least 605 separate institutions
Wyoming is the only state to have no known reported education breaches*

*Most data breach notification laws, including those in Wyoming, were only implemented over the past few years. Breaches might have occurred before these regulations came into play and/or breaches may fall below the threshold required to report a breach (e.g. only breaches that affect a certain number of people require public disclosure).

In 2018, the US Department of Education strengthened its requirements for data breaches in colleges and universities. These institutions now have to report any breach, regardless of the number of records lost, but only if they’re a Title IV institution (they accept federal funding through the federal student aid program, which covers the vast majority of schools). The only schools that don’t accept federal student aid are a small minority consisting mostly of religious institutions.

The top 5 worst-hit states for education data breaches and records impacted

If we take a look at the number of breaches by US states, we can see that New York had the most by far with 691 in total. However, this stems from the majority of schools impacted in the Illuminate Education breach (556) being based here.

California accounts for just over 11 percent of the breaches with 303 in total (31 institutions here were impacted by the Illuminate breach). Texas and Massachusetts are the only two other states to have seen 100 or more education data breaches with 116 and 100 each respectively. And the fifth worst-hit state is Illinois with 86 breaches.

Wyoming remains the only state to have had no known or reported K–12 or college data breaches over the last 18 years.

Some of these numbers are not too surprising. California, Texas, and New York are among the top ten most populous US states and have large numbers of students and educational institutions. Massachusetts, however, is the 15th largest state by overall population and 16th for the number of students in education. But with 100 breaches in total, it has a significantly higher number of breaches than some of the other largest states, e.g. Florida where there have been 82 education data breaches.

In addition to the number of breaches, we also examine the number of records affected. Florida is one of the top five most heavily impacted states when it comes to the number of records affected by breaches.

Predictably, California takes the top spot for the number of records affected with over 2.9 million impacted in total. However, it is closely followed by Arizona where only slightly fewer people were affected–2.8 million in total. Texas is the only other state to have seen more than 2 million records impacted (2.3 million in total). Florida and Ohio make up the rest of the top five with around 1.9 million records impacted.

Massachusetts, Georgia, Washington, Missouri, and New York are the only other states to have had over 1 million records impacted in these kinds of breaches.

The majority of these breached records (83 percent) were also within colleges/universities. For example, just 0.3 percent (7,986) of the records impacted within Arizona were within K-12 schools.

76 percent of Nevada’s breached records affected K-12 schools

In contrast to the above, the majority of Nevada’s impacted records (76 percent) were within K-12 institutions. A total of 717,626 records are reported to have been breached in K-12 institutions here (945,172 were breached in total). This stems from two particular breaches that impacted Washoe County (114,000) and Clark County (559,487) school districts. Both were hit by the Pearson Education, Inc. data breach that affected numerous schools across the US. A student assessment tool provided by Pearson’s AIMSweb was breached, leaving some personally-identifiable student information exposed.

Only two other states saw a higher number of records impacted within K-12 institutions. These were Texas and South Carolina where 71 and 54 percent of the total breached records were within K-12 schools respectively. Texas was also the state with the highest number of K-12 student records impacted by breaches with 1.6 million in total–nearly 1 million more than second-place Nevada. Over 795,000 of Texas’ total stems from the Dallas Independent School District breach.

Many of the breaches affecting K–12 schools impact an entire school district. It’s unclear how many schools within the district may have been impacted, however, so the breach figure remains “1.” Some community college systems also have this disambiguation issue.

North Dakota had the highest rate of students impacted

To get an idea of which states have perhaps suffered the worst data breaches, let’s take a look at the number of records impacted per student. Using the most recent student figures available, we can get an idea of which states have seen the highest rate of student records impacted.

The above map demonstrates that North Dakota has the highest rate of students impacted, with nearly 2.5 records impacted per 1 student. While this doesn’t necessarily mean that each student has had their data breached twice, it shows that the proportion of records impacted to the number of students within the state is at its highest here.

Arizona (1.5), Nebraska (1.45), Nevada (1.4), Massachusetts (1.25), DC (1.1), Connecticut (1.06), Hawaii (1.01), and Washington (1.01) have also seen more records impacted than students within the state.

The biggest-known education data breaches

According to our findings, there were 11 breaches that have affected half a million or more records. These are:

2013, Maricopa County Community College District Data Breach = 2.49 million records affected: A number of databases were breached and the records of nearly 2.5 million students, graduates, and staff were made available on the internet. This breach came with a lot of controversy due to the length of time it took for those affected to be notified.
2017, Harvard Computer Society = 1.4 million records affected: In this breach, over 1.4 million emails, which contained personal information of members of the Harvard Computer Society, were publicly available for a period of time.
2019, Georgia Tech = 1.27 million records affected: A central database was hacked, potentially exposing the records of nearly 1.27 million students, faculty, and staff members.
2017, Washington State University = 1.12 million records affected: Thieves broke into a storage locker and stole a safe. The safe contained a computer hard drive backup with over a million personal records, including Social Security numbers (SSNs).
2006, the University of California at Los Angeles = 800,000 records affected: Hackers gained access to the university’s database which contained personal details on numerous people, the majority of which included current and former students and student applications. Personal details included SSNs, home addresses, dates of birth, and contact information.
2021, Dallas Independent School District = 795,497 records affected: Initially, facts surrounding the breach were vague and the district took a month to notify those affected. However, details later emerged which suggested two students were behind the breach. While their intentions weren’t malicious, they did expose a huge security flaw within the district.
2010, Ohio State University = 750,000 records affected: Unauthorized individuals managed to log onto the university’s server, gaining access to SSNs, date of births, addresses of current and former students, and details on staff and faculty members.
2012, University of Nebraska = 654,000 records affected: Hackers may have gained access to a database that contained details on current students and alumni dating back as far as 1985.
2020, Metropolitan Community College of Kansas City = 638,186: In this ransomware attack, sensitive data on over 630,000 former, prospective, and current students may have been accessed by the hacker.
2019, Clark County School District = 559,487 records affected:This breach was part of the Pearson’s Education, Inc. data breach that affected numerous school districts.
2018, San Diego Unified School District = 500,000 records affected: A phishing attack enabled hackers to gain access to the district’s central student database.

The biggest years for education data breaches

According to the chart below, 2021 was the biggest year for education data breaches with 771 in total. However, as we have noted, this stems largely from the Illuminate Education compromise that affected more than 600 educational institutions (at least), accounting for 78 percent of the year’s breaches.

2020 was one of the biggest years for records affected with 2.97 million impacted in total. It was only beaten slightly in 2013 when 3.08 million records were affected. 2013’s figures came predominantly from the Maricopa County Community College District data breach mentioned above, in which 2.5 million records were affected.

2021 was also a big year for breached records with 2.6 million impacted in total. While some of these (over 206,000) came from the Illuminate Education breach, the breaches on Dallas ISD (795,500), the University of Kentucky (350,000), the Cornish College of the Arts (199,449), Marymount Manhattan College (192,000), and Judson Independent School District (181,000) accounted for a large proportion of these.

2022 did see a significant number of records impacted in education breaches (1.38 million) and 67 percent of these were impacted in breaches in the latter half of the year. 408,189 of these were from the ransomware attack on Cincinnati State Technical and Community College, highlighting the worrying trend of ransomware hackers not only causing disruption to school systems by encrypting them but by shoring up their chances of a ransom by stealing vast amounts of data, too.

Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Thrd (breach via a third party, e.g. Blackbaud), Unkn (unknown).

The chart above also shows us how third-party data breaches have become dominant in recent years. The largest of these figures come from the 2020 Blackbaud ransomware attack and the 2021 Illuminate Education breach.

We only started logging ransomware attacks in the US from 2018 (these types of attacks will have been included in previous years’ figures for “hacks”), but as you can see this type of threat has remained consistent in recent years.

Looking at the number of records affected by type of breach (from 2018 when we started logging ransomware attacks), we can see that ransomware has become a huge threat to education data. In 2022, ransomware attacks accounted for 66 percent of the records affected in school/college data breaches.

What is 2023 looking like for educational data breaches?

As of mid-March 2023, 11 individual educational data breaches have been reported. This does demonstrate a dip in the higher figures we saw toward the end of 2022. However, with breaches often reported in full months after they have happened, these figures will likely increase over time.

Furthermore, our ransomware tracking map, updated daily, shows the education sector is seeing an ongoing flurry of ransomware attacks. Six of the 11 reported educational data breaches this year stem from ransomware attacks.

As attackers continue to focus on organizations where they can cause mass disruption (e.g. Blackbaud and large school districts) and hold data to ransom as part of a “double-dip” attack, it’s highly likely more breaches will be reported following these attacks.

Methodology

To log all of the data breaches across educational institutions, our team searched through industry resources, state data breach notification tools, and news sources. Using this data, we were able to collate an extensive list of data breaches dating back to 2005.

Where possible the breach is assigned to the year in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures as this is when the breach happened.

Some of the records included may be of employees at the facility. This is due to there being no breakdown between students and employees affected.

A vast number of the school-related breaches affected an entire school district, rather than a single school. However, as it is often unclear exactly how many schools within the district have been affected, the breach is classed as a single one.

While all 50 states (and the District of Columbia) now have data breach notification laws, these may not have been in place during each year of our study. Therefore, there may be some breaches that were not reported prior to 2018.

Student figures are gathered from the latest data available from the NCES–public elementary and secondary figures are from 2023, private elementary and secondary figures are from 2017, and post-secondary degree-granting institution figures are from 2022.

Data researcher: Charlotte Bond