K-12 Cybersecurity Breaches Worse Than Reported at Federal Level

The impact of K-12 cybersecurity breaches may be much wider than is being discussed at the federal level, according to K12 SIX advisor Douglas Levin of EdTech Strategies, LLC.

"The [U.S.] GAO relied on a private database of cyber attacks and leaks collected by Doug Levin of EdTech Strategies, a consulting firm. That’s because there’s no federal requirement for school districts to report data breaches. Most states have data breach notification laws but they vary a lot and there’s no obligation for state agencies to disclose them publicly. So the GAO turned to Levin’s K-12 Cybersecurity Resource Center, which has been collecting press clips about school data breaches from around the country and monitoring the states that do publicly report, such as Texas.

However, Levin’s own analysis of the data he shared with the GAO arrived at different totals. He counted 458 data breaches in school districts; 315 involved the unauthorized release of student data. That’s more than four times greater. Levin documented that more than a million student records have been affected, not thousands.

Why the discrepancy? The GAO counted each attack as one incident regardless of how many school districts were affected. Levin counted each district’s data breach separately, even if they were all hit by the same cyber attack. For example, a major breach at educational testing company Pearson in 2018 affected an unknown number of student records in thousands of schools. The GAO counted that as one incident. Levin identified 135 of the districts and counted it as 135 separate incidents.”

Read more at the Hechinger Report: https://hechingerreport.org/proof-points-what-happens-when-private-student-information-leaks/