Since 2005, K–12 school districts and colleges/universities across the US have experienced over 1,300 data breaches, affecting more than 24.5 million records.
Our team of researchers analyzed data over the past 15 years to find out where the hot spots are, the biggest causes of these breaches, and how many students have been affected by each breach.
What did we find?
- California is a hot spot for both college and K-12 data breaches with the most records affected (but is also home to the most of these institutions)
- Arizona is one of the worst-hit states by number of records affected
- Wyoming is the only state to have no known reported education breaches*
- Hackings are the most common types of breaches
- 2008 had the most education data breaches, but 2013 and 2017 were the biggest years by number of records affected
- Public institutions are affected by breaches at a higher rate compared to private ones
*Most data breach notification laws, including those in Wyoming, were only implemented over the past few years. Breaches might have occurred before these regulations came into play and/or breaches may fall below the threshold required to report a breach (e.g. only breaches that affect a certain number of people require public disclosure).
In 2018, the US Department of Education strengthened its requirements for data breaches in colleges and universities. These institutions now have to report any breach, regardless of the number of records lost, but only if they’re a Title IV institution (they accept federal funding through the federal student aid program, which covers the vast majority of schools). The only schools that don’t accept federal student aid are a small minority consisting mostly of religious institutions.
Colors indicate the # of breaches while the size of the circles depicts the # of records affected.
California suffers the most education data breaches
If we take a look at the number of breaches by US state, we can see that California had the most by far, accounting for 157 of the 1,328 breaches (11.8 percent).
The list of worst-hit states also includes New York with 89, Texas with 79, Illinois and Ohio each with 60, and Florida with 58.
Wyoming is the only state to have had no known or reported K–12 or college data breaches over the last 14 years.
Some of these numbers are not too surprising. California, Texas, New York, Illinois, and Ohio are among the top 10 largest US states and have large numbers of students and educational institutions. It stands to reason that this would also result in a larger number of data breaches.
However, if we change the figures to look at the number of records affected by US state, the picture changes slightly.
California remains a hotspot, yet Arizona becomes one of the worst-hit states with only slightly fewer people affected in its breaches than California (2.83 million compared to 2.88 million). West Virginia and Georgia also display high numbers of records affected in contrast to the number of breaches with 1.3 million and 1.6 million records impacted, respectively.
Other states with high numbers of records exposed or stolen in breaches include Ohio (1.4 million), Massachusetts (1.7 million), and Florida (1.6 million).
How do these figures change if we divide them up by schools and colleges?
Colleges account for 74% of education data breaches
If we look at the hotspots for breaches in K–12 schools versus the breaches in colleges and universities, we can see that there are some significant differences.
US K-12 schools data breach hot spots
When it comes to breaches within US K–12 schools (both public and private), California and Texas are the biggest hot spots.
Illinois and New York also have a large number of breaches but these affected fewer records than other states. In contrast, Nevada and Florida have large numbers of records affected compared to the number of breaches.
In Nevada, three K–12 breaches affecting 673,487 records were reported, while in Florida, 17 school breaches affecting 504,135 records were reported.
Nevada’s huge figures stem from two particular breaches that impacted Washoe County (114,000) and Clark County (559,487) school districts. Both were hit by the Pearson Education, Inc. data breach which affected numerous schools across the US. A student assessment tool provided by Pearson’s AIMSweb was breached, leaving some personally-identifiable student information exposed.
Many of the breaches affecting K–12 schools impact an entire school district. It’s unclear how many schools within the district may have been impacted, however, so the breach figure remains “1.” Some community college systems also have this disambiguation issue.
US colleges data breach hot spots
California remains a hot spot for college breaches, too, accounting for 12.2 percent of the 985 college data breaches and 10.6 percent of the 21.5 million records affected. New York also remains one of the places with the most breaches, having had 63 breaches which affected almost half a million records.
Texas and Illinois are no longer hot spots but Florida remains one of the states with the highest number of records affected (1.07 million — 5 percent). It is also joined by five other states in the “over 1 million records affected” category. These are:
- Arizona – 2.8 million records affected in 8 breaches
- Massachusetts – 1.7 million records affected in 36 breaches
- Georgia – 1.6 million records affected in 24 breaches
- Ohio – 1.4 million records affected in 48 breaches
- Washington – 1.3 million records affected in 15 breaches
Arizona sits at the top spot for the number of records affected in relation to the number of breaches. This arises from a large breach which affected almost 2.5 million records from Maricopa Community Colleges. The college system came under fire due to the length of time it took to notify those involved (seven months). The cleanup reportedly cost $26 million.
% of colleges affected by breaches
Here we can see that the states with the highest percentage of colleges affected by data breaches are Alaska and Vermont with 55.6 and 50 percent of colleges affected by data breaches, respectively.
Therefore, even though California is the hot spot when it comes to education data breaches, with 710 colleges and 120 breaches, only 16.9 percent of colleges in California have suffered a data breach – approximately.
Quite a large number of K–12 data breaches are recorded as impacting an entire school district versus individual schools. Therefore, we haven’t included an overall percent of schools affected by data breaches as the figures would be skewed when including private schools alongside districts.
Public institutions account for 78 percent of education breaches
Overall, 77.7 percent of the breaches occurred in a public school or college. Of these public breaches, 67.7 percent affected colleges. Private colleges were also heavily impacted, accounting for 90.9 percent of all breaches within private institutions.
The public education breaches affected 20.6 million records, around 20,000 records per breach, in public institutions. Private institution breaches affected 3.9 million records, or around 14,000 records per breach.
How do these figures compare when we break them down by K-12 schools and colleges?
- Public K-12 schools – 8,847 records affected per breach
- Public colleges/universities – 25,312 records affected per breach
- Private K-12 schools – 3,657 records affected per breach
- Private colleges/universities -14,046 records affected per breach
The biggest-known education data breaches
According to our findings, there were 9 breaches that have affected half a million or more records. These are:
- 2013, Maricopa County Community College District Data Breach = 2.49 million records affected: A number of databases were breached and the records of nearly 2.5 million students, graduates, and staff were made available on the internet. As previously mentioned, this breach came with a lot of controversy due to the length of time it took for those affected to be notified.
- 2017, Harvard Computer Society = 1.4 million records affected: In this breach, over 1.4 million emails, which contained personal information of members of the Harvard Computer Society, were publicly available for a period of time.
- 2019, Georgia Tech = 1.27 million records affected: A central database was hacked, potentially exposing the records of nearly 1.27 million students, faculty, and staff members.
- 2017, Washington State University = 1.12 million records affected: Thieves broke into a storage locker and stole a safe. The safe contained a computer hard drive backup with over a million personal records, including social security numbers (SSNs).
- 2006, University of California at Los Angeles = 800,000 records affected: Hackers gained access to the university’s database which contained personal details on numerous people, the majority of which included current and former students and student applications. Personal details included SSNs, home addresses, dates of birth, and contact information.
- 2010, Ohio State University = 750,000 records affected: Unauthorized individuals managed to log onto the university’s server, gaining access to SSNs, date of births, addresses of current and former students, and details on staff and faculty members.
- 2012, University of Nebraska = 654,000 records affected: Hackers may have gained access to a database that contained details on current students and alumni dating back as far as 1985.
- 2019, Clark County School District = 559,487 records affected: As previously mentioned, this breach was part of the Pearson’s Education, Inc. data breach which affected numerous school districts.
- 2018, San Diego Unified School District = 500,000 records affected: A phishing attack enabled hackers to gain access to the district’s central student database.
Types of education breaches
As we have seen above, there are a number of different types of breaches that occur in education facilities, from physical thefts to online hacks. Overall, though, the most common type of data breach is a hack (from an external source).
Here’s a breakdown of all the breaches by type of breach:
- Hacking incidents = 581 (43.8 percent)
- Unintentional disclosures by the institutions (i.e. attaching personally-identifiable student data to an email by accident) = 341 (25.7 percent)
- Theft or loss of portable devices (i.e. USB drives or laptops) = 183 (13.8 percent)
- Reports of physical data being available to unauthorized personnel (i.e. paper data being disposed of without shredding ) = 77 (5.8 percent)
- Theft or hack committed by insiders (i.e. students or employees at the school taking data for fraudulent purposes) = 70 (5.3 percent)
- Thefts or loss of stationary devices (i.e. desktop computers).= 52 (3.9 percent)
The remaining were unknown and 2 were card breaches.
Most common breaches in colleges
- Hacking = 424 (43 percent)
- Unintentional disclosure = 269 (27.3 percent)
- Theft or loss of portable devices = 145 (14.7 percent)
- Physical data being exposed = 46 (4.7 percent)
- Insider hack/theft = 42 (4.3 percent)
- Theft or loss of stationary devices = 38 (3.9 percent)
- Unknown = 19 (1.9 percent)
- Card = 2 (0.2 percent)
Most common breaches in schools
- Hacking = 157 (45.9 percent)
- Unintentional disclosure = 72 (21 percent)
- Theft or loss of portable devices = 38 (11.1 percent)
- Physical data being exposed = 31 (9.1 percent)
- Insider hack/theft = 28 (8.2 percent)
- Theft or loss of stationary devices = 14 (4.1 percent)
- Unknown = 2 (0.58 percent)
The biggest years for K–12 school and college data breaches
If we take a look at the below chart we can see that the biggest year for breaches overall was 2008. In 2008, there were 135 breaches in total, accounting for 10.2 percent of all the breaches. It was also the biggest year for college data breaches, with 101 (10.2 percent) occurring then.
However, it wasn’t the biggest year for K–12 school data breaches. 2019 saw the biggest year for school data breaches with 60 in total.
In contrast, 2008 wasn’t the top year for the number of records affected but rather, it was one of the lowest. 2013 and 2017 were the largest years overall with 3.08 million and 2.95 million records affected, respectively. The majority of these records came from college breaches — 3.07 million and 2.9 million records affected in 2013 and 2017 respectively.
The biggest years for K–12 schools were 2018 and 2019 with 991,340 and 804,734 records affected, respectively.
There doesn’t appear to be any kind of trend in the breach numbers for K-12 schools or colleges, nor does there seem to be a pattern with college records affected. However, over the past few years, there has been a significant increase in the number of school records affected.
Some of the records included may be of employees at the facility. This is due to there being no breakdown between students and employees affected.
A vast number of the school-related breaches affected an entire school district, rather than a single school.
For the ratios, these are the most up-to-date figures, meaning schools or colleges could have opened or closed during the data breach period.
Private colleges include both for- and non-profit.
While all 50 states (and the District of Columbia) now have data breach notification laws, these may not have been in place during each year of our study. Therefore, there may be some breaches that were not reported.
When discussing the percentage of schools/colleges affected, we do need to allow some room for error here as one school district/college may have had more than one breach, but it gives us an idea as to which states have received the highest proportion of breaches to the number of institutions it has.
Researcher note – 07/29/2020: Due to an error in reporting figures for the number of private colleges within several states, the section „% of colleges affected by breaches“ contained some errors. This how now been rectified.