{"id":6621,"date":"2024-12-16T13:00:00","date_gmt":"2024-12-16T19:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/education-industry-data-must-be-protected"},"modified":"2024-12-16T13:00:00","modified_gmt":"2024-12-16T19:00:00","slug":"the-education-industry-why-its-data-must-be-protected","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/16\/the-education-industry-why-its-data-must-be-protected\/","title":{"rendered":"The Education Industry: Why Its Data Must Be Protected"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

We often think of high-risk industries like finance or healthcare when considering the risks of data being targeted and exfiltrated. However, the education industry and its infrastructure \u2014 which require personal identifiable information (PII) \u2014 are often overlooked.<\/span><\/p>\n

For many, this exchange of PII for goods and services (in this case, enrolling in school) may not seem worrisome. But for K-12 students, it’s a potentially early introduction to cybercrime and its damages.<\/span><\/p>\n

With some schools <\/span>already under cyber threat<\/a><\/span>, the urgency of reevaluating data protection strategies becomes increasingly clear.<\/span><\/p>\n

Identity Theft Before High School<\/h2>\n

In 2023, educational institutions saw <\/span>increased data breach activity<\/a><\/span>. For many adults, the reality of <\/span>data breaches<\/a><\/span> is well-known and often just a part of daily life \u2014 don’t click on suspicious links, enable credit monitoring, and be wary of <\/span>scam calls<\/a><\/span>. This is a faraway concept for younger students in K-12 schools, yet their data is some of the most vulnerable.<\/span><\/p>\n

One vulnerability in an application used across the education sector can have a huge attack surface for these students. For example, schools use apps and online resources to support teaching materials. Still, educators can’t ensure these vendors are appropriately safeguarding the PII, such as names and emails. Examples like Los Angeles Unified School District and its experience with a <\/span>chatbot named “Ed.”<\/a><\/span> On the surface, Ed was meant to be a personal assistant to the district’s students and used their data. However, when the bot’s startup company, AllHere, went dark and the chatbot disappeared, questions remained regarding where precisely the student data went.<\/span><\/p>\n

Schools across the United States are well into their school year, meaning parents have already provided shot records, medical history, and other sensitive information regarding their children. That information is stored across school servers, possibly even in third-party databases like AllHere’s chatbot.<\/span><\/p>\n

These parents of K-12 students may be unknowingly giving threat actors the information they need to<\/span> steal their child’s identity<\/a><\/span> before they ever enter college.<\/span><\/p>\n

Tucson Unified School Distric<\/a><\/span>t experienced its own run-in with cybercriminals and ransomware in 2023 when the <\/span>ransomware group Royal<\/a><\/span> extorted what they claimed to be all student personal information \u2014 including passports, Social Security numbers, birth certificate information, and more.<\/span><\/p>\n

Research from <\/span>Comparitech<\/a><\/span> shows that data breaches have affected more than 37.6 million records across K-12 schools and higher education since 2005. Between 2018 and 2021, 61% of targeted institutions in the United States education sector were K-12 schools. While more records were affected in ransomware attacks targeting universities and colleges, this interest in our youth’s data highlights their vulnerability to cyberattacks.<\/span><\/p>\n

Instances like the Tucson incident are not as rare as many educators and parents would hope. Our youth, lacking the same access or abilities to monitor their credit or make informed decisions after cyber events, are particularly vulnerable. The full effects of a successful ransomware attack like the one Tucson Unified School District experienced can be devastating for the incredibly vulnerable student demographic.<\/span><\/p>\n

Misconceptions Regarding Data Thieves<\/h2>\n

We’ve reached <\/span>record-breaking ransomware attacks<\/a><\/span> in 2024, and our data across all industries is at risk. However, the inundation of data breaches and data theft paired with daily organizational demand for consumer data has created an interesting phenomenon: Consumers don’t trust their data will ever be secured.<\/span><\/p>\n

Cybercriminals are opportunistic and self-serving, often looking for the easiest way to steal valuable information they can exfiltrate and extort for money. They are exploiting vulnerabilities and pushing out phishing campaigns to steal data for their own benefit, but this behavior doesn’t just affect adults.<\/span><\/p>\n

While historically the education sector has not been a priority target for these groups, the outbreak of 2023 highlights a new reality. Threat actors are becoming more aggressive in their methods, and data protection across K-12 and higher education institutions must be prioritized moving forward.<\/span><\/p>\n

Preventing Data Theft in the Education Sector<\/h2>\n

Higher and lower education organizations have reported increasing ransomware attack rates starting in 2021 according to the “<\/span>2024 Sophos State of Education<\/a><\/span>” report.<\/span><\/p>\n

The same report also shows attacks across both lower and higher education institutions are becoming more dangerous:<\/span><\/p>\n

\n