Education continues to be plagued by errors, social engineering and inadequately secured email credentials. With regard to incidents, DoS attacks account for over half of all incidents in Education.
Top 3 patterns– Miscellaneous Errors, Web Application Attacks and Everything Else represent 80% of breaches
Threat actors– External (57%), Internal (45%), Multiple parties (2%) (breaches)
Actor motives– Financial (80%), Espionage (11%), Fun (4%), Grudge (2%), Ideology (2%) (breaches)
Data compromised– Personal (55%), Credentials (53%) and Internal (35%) (breaches)
Illustrative breaches
- Total Registration
- Georgia Tech
- Wyzant
- Brighton and Sussex University Hospitals NHS Trust
- Rush University Medical Center
- UConn Health
- Educational Enrichment Systems, Inc. (“EES”)
- Manor Independent School District
- Richmond Community Schools
- Bartlett Public Library District
- Edtech Startup
- Melbourne Polytechnic
- Maastricht University
- College of DuPage, Illinois
- Unacademy
- San Dieguito Union High School
- Delhi University
- Proctorio
- Aberdeen University and Robert Gordon University
- University of Texas
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
- Rhode Island School of Design, USA
- University of Exeter
- Haywood County Schools
- Springfield Public School
- Missouri Virtual Academy
- West Country School
- University of Tasmania
- Millstone Township School
- Guilford Technical Community College
- Johnson College
- WhiteHat Jr
- University of California SF
- University of York
- University of Utah
- IIM Jobs
- AcadeME
- New York university
- New Skills Academy Online Learning Platform
- Dallas Independent School District
- Colorado University
- Broward County School District Florida
- Harvard-Westlake
- Sunderland University
- National University of Ireland Galway
- The De Montfort School (Worcestershire, England)
- Durham District School Board
- Midland University
- British Council
- Arı Innovation and Science Education Services
Data breach – maximum fines and damages
- Unacademy: India’s largest online education platform, has identified data breach of around 11 million users. The exposed data included user IDs, names and usernames, encrypted passwords, email addresses, dates joined, and times of last login.
- The University of Texas MD Anderson Cancer Center: In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013, which resulted in the loss of health information of over 33,500 individuals. In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.
- Total Registration: A misconfiguration of an Amazon S3 file storage service potentially compromised the information of students who registered for exams like the PSAT and Advanced Placement. Total Registration, a Kentucky-based facilitator of test registrations, admitted that names of students and parents, dates of birth, languages, grade level, gender, student ID, and some Social Security numbers were implicated.
- K-12: K-12 underwent 122 known cyber security incidents last year, hitting 119 different education agencies in 38 states. The result was the “theft of millions of tax payer dollars, stolen identities, tax fraud and altered school records,” according to the K-12 Cybersecurity Resource Center, an organization that tracks cyber incidents in schools. The largest attack cost a Texas district about $2 million; additional strikes in school systems in Idaho, Louisiana, New Jersey and Texas cost those districts between $300,000 and $988,000.
- Educational Enrichment Systems, Inc. (“EES”): On August 30, 2019, EES became aware of unusual activity related to a certain EES employee email account. Upon discovery, EES immediately launched an investigation, with the support of forensic investigators, to determine the nature and scope of the activity. Through this investigation, EES determined that this employee’s email account was accessed without authorization between May 27, 2019 and July 15, 2019.
- University of Maastricht: Russian criminal gang, demanded a ransom of 30 bitcoins, which was worth $220,000 at the time. The university decided to pay the Bitcoin ransom as the alternative was to rebuild the school’s entire IT network from the ground up.
Enforcements
| Name | Fine | Authority |
| School in Skellefteå | EUR 18,630 | Data Protection Authority of Sweden |
| Oslo Municipal Education Department | EUR 1,20,000 | Norwegian Supervisory Authority |
| Sapienza Università di Roma | EUR 30,000 | Italian Data Protection Authority (Garante) |
| Colegio Arenales Carabanchel (School) | EUR 3,000 | Spanish Data Protection Authority |
| Speech and Special Education Centre – Mihou Dimitra | EUR 8,000 | Hellenic Data Protection Authority |
| Istituto Comprensivo Statale Crucoli Torretta | EUR 2000 | Italian Data Protection Authority |
| Warsaw University of Life Sciences | EUR 11,200 | Polish National Personal Data Protection Office |
| Iweb Internet Learning, S.L. | EUR 7800 | Spanish Data Protection Authority |
| InfoMentor | ISK 3,500,000 | Data Protection Authority, Iceland (Personuvernd) |
| Ferde AS | EUR 496,000 | Norwegian Supervisory Authority |
| Syddanmark Region | EUR 67,200 | Danish Data Protection Authority |
| Roma Capitale | EUR 800,000 | Italian Data Protection Authority (Garante) |
| Regione Lombardia | EUR 200,000 | Italian Data Protection Authority (Garante) |
