Education continues to be plagued by errors, social engineering and inadequately secured email credentials. With regard to incidents, DoS attacks account for over half of all incidents in Education.

Top 3 patterns– Miscellaneous Errors, Web Application Attacks and Everything Else represent 80% of breaches

Threat actors– External (57%), Internal (45%), Multiple parties (2%) (breaches)

Actor motives– Financial (80%), Espionage (11%), Fun (4%), Grudge (2%), Ideology (2%) (breaches)

Data compromised– Personal (55%), Credentials (53%) and Internal (35%) (breaches)

Illustrative breaches

  • Total Registration
  • Georgia Tech
  • Wyzant
  • Brighton and Sussex University Hospitals NHS Trust
  • Rush University Medical Center
  • UConn Health
  • Educational Enrichment Systems, Inc. (“EES”)
  • Manor Independent School District
  • Richmond Community Schools
  • Bartlett Public Library District
  • Edtech Startup
  • Melbourne Polytechnic
  • Maastricht University
  • College of DuPage, Illinois
  • Unacademy
  • San Dieguito Union High School 
  • Delhi University
  • Proctorio
  • Aberdeen University and Robert Gordon University 
  • University of Texas
  • University of York
  • Oxford Brookes University
  • Loughborough University
  • University of Leeds
  • University of London
  • University of Reading
  • University College, Oxford
  • Ambrose University in Alberta, Canada
  • Rhode Island School of Design, USA
  • University of Exeter
  • Haywood County Schools
  • Springfield Public School
  • Missouri Virtual Academy
  • West Country School
  • University of Tasmania
  • Millstone Township School
  • Guilford Technical Community College
  • Johnson College
  • WhiteHat Jr   
  • University of California SF    
  • University of York           
  • University of Utah
  • IIM Jobs
  • AcadeME
  • New York university
  • New Skills Academy Online Learning Platform
  • Dallas Independent School District
  • Colorado University
  • Broward County School District Florida
  • Harvard-Westlake
  • Sunderland University
  • National University of Ireland Galway
  • The De Montfort School (Worcestershire, England)
  • Durham District School Board
  • Midland University
  • British Council
  • Arı Innovation and Science Education Services

Data breach – maximum fines and damages

  • Unacademy: India’s largest online education platform, has identified data breach of around 11 million users. The exposed data included user IDs, names and usernames, encrypted passwords, email addresses, dates joined, and times of last login.
  • The University of Texas MD Anderson Cancer Center: In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013, which resulted in the loss of health information of over 33,500 individuals. In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.
  • Total Registration: A misconfiguration of an Amazon S3 file storage service potentially compromised the information of students who registered for exams like the PSAT and Advanced Placement. Total Registration, a Kentucky-based facilitator of test registrations, admitted that names of students and parents, dates of birth, languages, grade level, gender, student ID, and some Social Security numbers were implicated.
  • K-12: K-12 underwent 122 known cyber security incidents last year, hitting 119 different education agencies in 38 states. The result was the “theft of millions of tax payer dollars, stolen identities, tax fraud and altered school records,” according to the K-12 Cybersecurity Resource Center, an organization that tracks cyber incidents in schools. The largest attack cost a Texas district about $2 million; additional strikes in school systems in Idaho, Louisiana, New Jersey and Texas cost those districts between $300,000 and $988,000.
  • Educational Enrichment Systems, Inc. (“EES”): On August 30, 2019, EES became aware of unusual activity related to a certain EES employee email account.  Upon discovery, EES immediately launched an investigation, with the support of forensic investigators, to determine the nature and scope of the activity.  Through this investigation, EES determined that this employee’s email account was accessed without authorization between May 27, 2019 and July 15, 2019. 
  • University of Maastricht: Russian criminal gang, demanded a ransom of 30 bitcoins, which was worth $220,000 at the time. The university decided to pay the Bitcoin ransom as the alternative was to rebuild the school’s entire IT network from the ground up.


School in SkellefteåEUR 18,630Data Protection Authority of
Oslo Municipal Education
EUR 1,20,000Norwegian Supervisory Authority
Sapienza Università di RomaEUR 30,000Italian Data Protection Authority
Colegio Arenales Carabanchel
EUR 3,000Spanish Data Protection Authority
Speech and Special Education
Centre – Mihou Dimitra
EUR 8,000Hellenic Data Protection Authority
Istituto Comprensivo Statale
Crucoli Torretta
EUR 2000Italian Data Protection Authority
Warsaw University of Life
EUR 11,200Polish National Personal Data
Protection Office
Iweb Internet Learning, S.L.EUR 7800Spanish Data Protection Authority
InfoMentor ISK 3,500,000 Data Protection Authority,
Iceland (Personuvernd)
Ferde ASEUR 496,000Norwegian Supervisory Authority
Syddanmark RegionEUR 67,200Danish Data Protection Authority
Roma CapitaleEUR 800,000Italian Data Protection Authority (Garante)
Regione LombardiaEUR 200,000Italian Data Protection Authority (Garante)