US schools leaked 28.6 million records in 1,851 data breaches since 2005

Since 2005, K–12 school districts and colleges/universities across the US have experienced over 1,850 data breaches, affecting more than 28.6 million records.

Our team of researchers analyzed data over the past 15 years to find out where the hot spots are, the biggest causes of these breaches, and how many students have been affected by each breach.

In our 2021 update, we’ve found that attacks on third parties can have a catastrophic effect on educational institutions and their data. This was particularly the case in 2020 with the widespread impact of the Blackbaud ransomware attack that affected over 200 individual educational institutions. Even without Blackbaud, 2020 was still a big year for education data breaches, despite many institutions being shut down for months at a time at the height of the pandemic.

Key findings:

1,851 data breaches in educational institutions since 2005
At least 28,569,864 individual records were affected as a result of these breaches
65 percent of breaches occurred in post-secondary institutions
87 percent of records affected were from post-secondary institutions
Hackings have become a dominant source behind these breaches in recent years, with insider-based breaches also growing (namely due to large-scale attacks such as the one on Blackbaud)
Blackbaud affected at least 209 educational institutions
Wyoming is the only state to have no known reported education breaches*

*Most data breach notification laws, including those in Wyoming, were only implemented over the past few years. Breaches might have occurred before these regulations came into play and/or breaches may fall below the threshold required to report a breach (e.g. only breaches that affect a certain number of people require public disclosure).

In 2018, the US Department of Education strengthened its requirements for data breaches in colleges and universities. These institutions now have to report any breach, regardless of the number of records lost, but only if they’re a Title IV institution (they accept federal funding through the federal student aid program, which covers the vast majority of schools). The only schools that don’t accept federal student aid are a small minority consisting mostly of religious institutions.

The top 5 worst-hit states for education data breaches and records impacted

If we take a look at the number of breaches by US states, we can see that California had the most by far, accounting for 239 of the 1,851 breaches (13 percent).

New York (121), Texas (98), and Massachusetts (88) are the other three worst-hit states. Florida and Illinois take joint fifth with 77 breaches each.

Wyoming remains the only state to have had no known or reported K–12 or college data breaches over the last 16 years.

Some of these numbers are not too surprising. California, Texas, and New York are among the top ten biggest US states and have large numbers of students and educational institutions. Massachusetts, however, is the 16th largest state by population and number of students in education. But with 88 breaches in total, it has had over 13 percent more breaches than Florida and Illinois.

Massachusetts is also one of the top five most heavily impacted states when it comes to the number of records affected in these breaches, too.

Predictably, California remains on the top spot for the number of records affected with over 2.9 million impacted in total. However, it is closely followed by Arizona where only slightly fewer people were affected–2.8 million in total. Both of these states’ record figures are around a million more than the other three states within the top five. Florida, Georgia, and Massachusetts have also seen around 1.8 million records impacted in educational data breaches since 2005.

Ohio, Washington, Texas, and Missouri are the only other states to have had over 1 million records impacted in these kinds of breaches.

The majority of these breached records (87 percent) were also within colleges/universities. For example, just 0.3 percent (7,986) of the records impacted within Arizona were within K-12 schools. California, Ohio, and Florida did see a higher proportion of records breached within K-12 institutions, however–22, 7, and 30 percent respectively.

Nevada had the highest number of K-12 records breached

In contrast to the above, the majority of Nevada’s impacted records (76 percent) were within K-12 institutions. Consequently, Nevada was also the state where the highest number of records within K-12 schools were breached.

A total of 717,626 records are reported to have been breached in K-12 institutions here (945,172 were breached in total). This stems from two particular breaches that impacted Washoe County (114,000) and Clark County (559,487) school districts. Both were hit by the Pearson Education, Inc. data breach which affected numerous schools across the US. A student assessment tool provided by Pearson’s AIMSweb was breached, leaving some personally-identifiable student information exposed.

Many of the breaches affecting K–12 schools impact an entire school district. It’s unclear how many schools within the district may have been impacted, however, so the breach figure remains “1.” Some community college systems also have this disambiguation issue.

North Dakota had the highest rate of students impacted

To get an idea of which states have perhaps suffered the worst data breaches, let’s take a look at the number of records impacted per student. Using the most recent student figures available, we can get an idea of which states have seen the highest rate of student records impacted.

The above map demonstrates that North Dakota has the highest rate of students impacted, with over 2.3 records impacted per 1 student. While this doesn’t necessarily mean that each student has had their data breached twice, it shows that the proportion of records impacted to the number of students within the state is at its highest here.

Arizona (1.6), Nevada (1.5), Nebraska (1.3), Massachusetts (1.1), and Connecticut (1.1) have also seen more records impacted than students within the state.

The biggest-known education data breaches

According to our findings, there were ten breaches that have affected half a million or more records. These are:

2013, Maricopa County Community College District Data Breach = 2.49 million records affected: A number of databases were breached and the records of nearly 2.5 million students, graduates, and staff were made available on the internet. This breach came with a lot of controversy due to the length of time it took for those affected to be notified.
2017, Harvard Computer Society = 1.4 million records affected: In this breach, over 1.4 million emails, which contained personal information of members of the Harvard Computer Society, were publicly available for a period of time.
2019, Georgia Tech = 1.27 million records affected: A central database was hacked, potentially exposing the records of nearly 1.27 million students, faculty, and staff members.
2017, Washington State University = 1.12 million records affected: Thieves broke into a storage locker and stole a safe. The safe contained a computer hard drive backup with over a million personal records, including Social Security numbers (SSNs).
2006, the University of California at Los Angeles = 800,000 records affected: Hackers gained access to the university’s database which contained personal details on numerous people, the majority of which included current and former students and student applications. Personal details included SSNs, home addresses, dates of birth, and contact information.
2010, Ohio State University = 750,000 records affected: Unauthorized individuals managed to log onto the university’s server, gaining access to SSNs, date of births, addresses of current and former students, and details on staff and faculty members.
2012, University of Nebraska = 654,000 records affected: Hackers may have gained access to a database that contained details on current students and alumni dating back as far as 1985.
2020, Metropolitan Community College of Kansas City = 638,186: In this ransomware attack, sensitive data on over 630,000 former, prospective, and current students may have been accessed by the hacker.
2019, Clark County School District = 559,487 records affected: As previously mentioned, this breach was part of the Pearson’s Education, Inc. data breach which affected numerous school districts.
2018, San Diego Unified School District = 500,000 records affected: A phishing attack enabled hackers to gain access to the district’s central student database.

The biggest years for education data breaches

According to the chart below, 2020 was the biggest year for education data breaches with 353 in total. This stems largely from the Blackbaud breach that affected 209 educational institutions (at least), accounting for 59 percent of the year’s breaches.

# of Education Data Breaches and Records Affected by Year

2020 was also one of the biggest years for records affected with 2.99 million impacted in total. It was only beaten slightly by 2013 when 3.08 million records were affected. 2013’s figures came predominantly from the Maricopa County Community College District data breach mentioned above, in which 2.5 million records were affected.

The huge number of records breached in 2020 wasn’t to do with Blackbaud, either. According to the figures where the number of records affected is disclosed, just 841,939 (28 percent) of our total stem from Blackbaud breaches.

The 2020 breaches on the Metropolitan Community College of Kansas City (affecting 638,186 records) and one on the University of Maryland (affecting 309,079) contributed largely to the total.

Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee, third-party, or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Unkn (unknown).

The chart above also shows us how insider data breaches have become dominant in recent years. Insider breaches include an employee breach but also include third-party vendor breaches, e.g. Blackbaud. So, even though the third party is hacked, this is classed as an insider breach for the educational institution due to it coming from an inside entity within the school (the school itself isn’t hacked).

The 2019 breach on Aeries affected at least 27 school districts. Aeries provide student information systems and an unauthorized person accessed a large number of these for several months, potentially exposing student IDs, parent and student login information, physical addresses, emails, and password hashes.

As well as Blackbaud’s breach in 2020, Timberline Billing Service, LLC was also breached and affected a vast number of school districts. Of these, at least 18 released data breach notifications that impacted more than 21,000 records in total.

What is 2021 looking like for educational data breaches?

As of September 2021, 65 individual educational data breaches reportedly affected 554,779 records. A number of reasons could explain the drastic decrease from 2020.

First, 2020 was the year of the Blackbaud data breach, which, as we’ve seen, affected at least 209 education institutions. Second, there are often delays in the reporting of data breaches, meaning figures could rise over the next few months and even into 2022 and beyond.

Furthermore, our ransomware tracking map, updated daily, shows the education sector is seeing an ongoing flurry of ransomware attacks (there have already been 50 noted attacks this year following 81 last year). As attackers continue to focus on organizations where they can cause mass disruption (e.g. Blackbaud) and hold data to ransom as part of a “double-dip” attack, it’s highly likely more breaches will be reported following these attacks. After all, the Blackbaud attack was a huge success for the hackers who received an undisclosed payout to supposedly destroy the stolen data.

Methodology

To log all of the data breaches across educational institutions, our team searched through industry resources, state data breach notification tools, and news sources. Using this data, we were able to collate an extensive list of data breaches dating back to 2005.

Where possible the breach is assigned to the year in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures as this is when the breach happened.

Some of the records included may be of employees at the facility. This is due to there being no breakdown between students and employees affected.

A vast number of the school-related breaches affected an entire school district, rather than a single school. However, as it is often unclear exactly how many schools within the district have been affected, the breach is classed as a single one.

While all 50 states (and the District of Columbia) now have data breach notification laws, these may not have been in place during each year of our study. Therefore, there may be some breaches that were not reported prior to 2018.

Student figures are gathered from the latest data available from the NCES–public elementary and secondary figures are from 2021, private elementary and secondary figures are from 2017, and post-secondary degree-granting institution figures are from 2018.

Data researchers: George Moody, Rebecca Moody