US schools leaked 37.6 million records in 3,713 data breaches

Since 2005, K–12 school districts and colleges/universities across the US have experienced 3,713 data breaches, affecting more than 37.6 million records.

2023 saw a record-breaking year for both the number of breaches in educational institutions and the number of records impacted. Last year, 954 data breaches were recorded in US schools and colleges, nearly seven times 2022’s figure of 139 and far higher than 2021’s previous record of 783. This huge increase was primarily due to over 800 institutions being impacted by the exploitation of vulnerabilities in MOVEit file transfer software.

The number of records impacted in education data breaches in 2023 reached almost 4.3 million–a vast increase on 2021’s and 2022’s figures of around 2.6 million. While 1.7 million of these were impacted in third-party breaches (e.g. MOVEit), a staggering 1.9 million records were affected across 65 ransomware attacks. This highlights the growing disruptiveness of these types of attacks on schools–not just in downtime caused by the encryption of systems but in the sheer volume of records being stolen in the process.

Our team of researchers analyzed data from the last 19 years to find out where the education data breach hot spots are, the biggest causes of these breaches, and how many students have been affected by each breach.

Key findings:

3,713 data breaches in educational institutions since 2005
At least 37,606,243 individual records were affected as a result of these breaches
60 percent of breaches occurred in colleges and universities institutions (largely due to the significant impact of the MOVEit transfer breach)
83 percent of records affected were from post-secondary institutions
Cyber attacks and ransomware attacks have become a dominant source of these breaches in recent years, with third-party breaches also growing (namely due to large-scale attacks like Blackbaud, Illuminate Education, and MOVEit)
The MOVEit breach affected at least 802 separate educational institutions
Wyoming reported just 1 educational data breach in 19 years*

*Most data breach notification laws, including those in Wyoming, were only implemented over the past few years. Breaches might have occurred before these regulations came into play and/or breaches may fall below the threshold required to report a breach (e.g. only breaches that affect a certain number of people require public disclosure).

In 2018, the US Department of Education strengthened its requirements for data breaches in colleges and universities. These institutions now have to report any breach, regardless of the number of records lost, but only if they’re a Title IV institution (they accept federal funding through the federal student aid program, which covers the vast majority of schools). The only schools that don’t accept federal student aid are a small minority consisting mostly of religious institutions.

The biggest years for education data breaches

As we have already seen, 2023 was the biggest year for education data breaches and records affected with 954 and 4.3 million recorded in total, respectively. The MOVEit transfer hack accounts for 84 percent of the year’s breaches (802) and 40 percent (1.7 million) of the records affected.

What’s more, the ramifications of MOVEit are still ongoing. The University System of Georgia just last month released its data breach notification, finding that 800,000 people were impacted as a result of the MOVEit exploit.

Breaches via third parties have become much more prevalent in recent years. Apart from 2022 (which saw a significantly lower number of breaches overall), breaches via third parties have accounted for hundreds of breaches in US schools and colleges.

Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Thrd (breach via a third party, e.g. Blackbaud), Unkn (unknown).

Most notable of these:

Blackbaud – 2020: Affected at least 208 individual schools and colleges and nearly 840,000 records.
Illuminate Education – 2021: Impacted 612 institutions and almost 209,000 records.
MOVEit – 2023: Affected over 800 educational organizations and nearly 1.7 million records with more still being confirmed.

We began logging ransomware attacks in the US in 2018. This type of threat has remained consistent but the volume of records impacted is the biggest cause for concern.

In 2023 alone, more than 1.9 million records were breached via 65 attacks. Despite accounting for under seven percent of all data breaches, ransomware attacks account for nearly half (45 percent) of all records breached in 2023. It was a similar story in 2020 and 2022, too.

This follows an ongoing trend where ransomware hackers are targeting organizations with large databases so they have troves of stolen data to hold to ransom. In many cases, bad actors will encrypt systems and steal data in a bid to double-extort their victims.

The biggest ransomware attack in 2023 (based on records affected) was a March 2023 attack on Lakeland Community College, Ohio, which compromised 285,948 individuals’ data.

The top 5 worst-hit states for education data breaches and records impacted

If we take a look at the number of breaches by US states, we can see that New York had the most by far with 800 in total. However, this stems from the majority of schools impacted in the Illuminate Education breach (557 in New York) being based here.

California accounts for 11 percent of breaches with 401 in total (67 institutions were impacted by the MOVEit breach and 37 by the Illuminate breach). Texas reports the next highest number of education breaches with 164, followed by Massachusetts with 142. The fifth worst-hit state is North Carolina with 132 breaches.

Some of these numbers are not too surprising. California, Texas, and New York are among the top ten most populous US states and have large numbers of students and educational institutions. North Carolina, however, is the 9th largest state by overall population and number of students in education. But with 132 breaches in total, it has a significantly higher number of breaches than some of the other largest states, e.g. Florida where there have been 112 education data breaches.

Nevertheless, Wyoming did report its first known data breach within the educational sector in 2023. Laramie County Community College was breached as part of the MOVEit hack.

In addition to the number of breaches, we also examine the number of records affected.

Predictably, California takes the top spot for the number of records affected with over 3.3 million impacted in total. However, it is closely followed by Arizona where only slightly fewer people were affected–2.9 million in total.

Just four other states reported breached records higher than 2 million, these were: Georgia (2.7 million), Texas (2.5 million), Massachusetts (2.4 million), and Ohio (2.2 million).

Out of these, Arizona, Georgia, Massachusetts, and Ohio all reported around 95 percent or higher of these breached records impacting colleges/universities. California had 74 percent of its records breached through colleges.

Meanwhile, Texas saw the opposite with 70 percent of breached records being attributed to K-12 schools, and just 30 percent coming from post-secondary institutions. Only two other states reported a higher ratio of records impacted in K-12 schools. These were Nevada with 76 percent and South Carolina with 54 percent. Texas was also the state with the highest number of K-12 student records impacted by breaches with 1.7 million in total–nearly 1 million more than second-place California. Over 795,000 of Texas’ total stems from the Dallas Independent School District breach.

Many of the breaches affecting K–12 schools impact an entire school district. It’s unclear how many schools within the district may have been impacted, however, so the breach figure remains “1.” Some community college systems also have this disambiguation issue.

More K-12 schools hit with ransomware attacks than post-secondary institutions

Interestingly, of the 246 ransomware attacks we have tracked in the US education sector, 149 (61 percent) have affected K-12 schools. K-12 schools were more heavily impacted than post-secondary schools from 2018 to 2021. Both report similar figures reported in more recent years.

Post-secondary institutions have seen more records impacted via ransomware attacks, however. 3.74 million were impacted in colleges/universities, compared to 1.53 million in schools.

North Dakota had the highest rate of students impacted

To get an idea of which states have perhaps suffered the worst data breaches, let’s take a look at the number of records impacted per student. Using the most recent student figures available, we can get an idea of which states have seen the highest rate of student records impacted.

The above map demonstrates that North Dakota has the highest rate of students impacted, with nearly 2.5 records impacted per 1 student. While this doesn’t necessarily mean that each student has had their data breached more than twice, it shows that the proportion of records impacted to the number of students within the state is at its highest here.

9 other states recorded more than 1 record impacted per student, these were: Massachusetts (1.6) Arizona (1.58), Nebraska (1.45), Nevada (1.43), Hawaii and Washington (1.15), DC (1.11), Connecticut (1.10), and Georgia (1.08).

The top 10 biggest education data breaches

According to our findings, these are the top ten biggest data breaches on schools and colleges in the US:

2013, Maricopa County Community College District Data Breach = 2.49 million records affected: A number of databases were breached and the records of nearly 2.5 million students, graduates, and staff were made available on the internet. This breach came with a lot of controversy due to the length of time it took for those affected to be notified.
2017, Harvard Computer Society = 1.4 million records affected: In this breach, over 1.4 million emails, which contained personal information of members of the Harvard Computer Society, were publicly available for a period of time.
2019, Georgia Tech = 1.27 million records affected: A central database was hacked, potentially exposing the records of nearly 1.27 million students, faculty, and staff members.
2017, Washington State University = 1.12 million records affected: Thieves broke into a storage locker and stole a safe. The safe contained a computer hard drive backup with over a million personal records, including Social Security numbers (SSNs).
2006, University of California at Los Angeles = 800,000 records affected: Hackers gained access to the university’s database which contained personal details on numerous people, the majority of which included current and former students and student applications. Personal details included SSNs, home addresses, dates of birth, and contact information.
2023, University System of Georgia = 800,000 records affected: Impacted as a result of the third-party MOVEit transfer breach in 2023. This breach affected full names, dates of birth, Social Security numbers (full or partial), bank account numbers, and federal tax documents (including tax ID numbers).
2021, Dallas Independent School District = 795,497 records affected: Initially, facts surrounding the breach were vague and the district took a month to notify those affected. However, details later emerged which suggested two students were behind the breach. While their intentions weren’t malicious, they did expose a huge security flaw within the district.
2022, Lansing Community College = 757,832 records affected: An unauthorized individual gained access to certain systems that stored personal data which included employee, student, and vendor information within the records.
2010, Ohio State University = 750,000 records affected: Unauthorized individuals managed to log onto the university’s server, gaining access to SSNs, dates of birth, addresses of current and former students, and details on staff and faculty members.
2012, University of Nebraska = 654,000 records affected: Hackers may have gained access to a database that contained details on current students and alumni dating back as far as 1985.

What is 2024 looking like for educational data breaches?

As it stands, the first quarter of 2024 looks to have been far quieter than the first quarter of 2023. With just 16 data breaches reported from January to March 2024, this is nearly four times the amount witnessed in the first quarter of 2023 (62). While many breaches are reported weeks or months after they’ve happened, it’s unlikely 2024’s figure will reach the same heights as 2023.

In Q1 of 2024, 58,400 records were affected in breaches on schools and colleges in the US–significantly lower than the 1.1 million recorded in Q1 of 2023.

Have data breach trends in the education sector taken a turn for the better?

It’s too early to say. This dip is something we’ve also witnessed across all sectors in our daily US ransomware tracker, but that’s not to say the rest of 2024 will continue in the same vein. If previous years are anything to go by, all it takes is one exploited vulnerability to have a huge knock-on effect across multiple sectors and organizations. And as hackers appear to be focusing on companies with larger sets of data, fewer attacks but higher volumes of breached records is something we’re more likely to witness this year and beyond.

Methodology

To log all of the data breaches across educational institutions, our team searched through industry resources, state data breach notification tools, and news sources. Using this data, we were able to collate an extensive list of data breaches dating back to 2005.

Where possible the breach is assigned to the year in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures because this is when the breach happened.

Some of the records included may be of employees at the facility. This is due to there being no breakdown between students and employees affected. Likewise, certain university hospitals/medical schools may include patient data alongside student data with no provided breakdown.

A vast number of the school-related breaches affected an entire school district, rather than a single school. However, as it is often unclear exactly how many schools within the district have been affected, the breach is classed as a single one.

While all 50 states (and the District of Columbia) now have data breach notification laws, these may not have been in place during each year of our study. Therefore, there may be some breaches that were not reported prior to 2018.

Student figures are gathered from the latest data available from the NCES–public elementary and secondary figures are from 2023, private elementary and secondary figures are from 2017, and post-secondary degree-granting institution figures are from 2023.

While some institutions have been able to report exactly how many records were affected as a result of the MOVEit breach, others have yet to finalize figures. Therefore, we will likely see figures rise far higher in the future. Furthermore, many institutions were impacted by MOVEit because of a contractor who used the software themselves (often described as “multiple vendors”). These all fall under a third-party MOVEit breach in our study.

Data researcher: Charlotte Bond