A cybersecurity incident is an event that actually or potentially jeopardizes a system or the information it holds. According to GAO’s analysis of K-12 Cybersecurity Resource Center (CRC) data from July 2016 to May 2020, thousands of K-12 students were affected by 99 reported data breaches, one type of cybersecurity incident in which data are compromised.
Students’ academic records, including assessment scores and special education records, were the most commonly compromised type of information (58 breaches). Records containing students’ personally identifiable information (PII), such as Social Security numbers, were the second most commonly compromised type of information (36 breaches). Financial and cybersecurity experts say some PII can be sold on the black market and can cause students significant financial harm. Breaches were either accidental or intentional, although sometimes the intent was unknown, with school staff, students, and cybercriminals among those responsible (see figure).
Staff were responsible for most of the accidental breaches (21 of 25), and students were responsible for most of the intentional breaches (27 of 52), most frequently to change grades. Reports of breaches by cybercriminals were rare but included attempts to steal PII. Although the number of students affected by a breach was not always available, examples show that thousands of students have had their data compromised in a single breach.
Responsible Actor and Intent of Reported K-12 Student Data Breaches, July 1, 2016-May 5, 2020
Notes: The actor or the intent may not be discernible in public reports.
For this analysis, a cybercriminal is defined as an actor external to the school district who breaches a data system for malicious reasons.
Of the 287 school districts affected by reported student data breaches, larger, wealthier, and suburban school districts were disproportionately represented, according to GAO’s analysis. Cybersecurity experts GAO spoke with said one explanation for this is that some of these districts may use more technology in schools, which could create more opportunities for breaches to occur.
Direct to Full Text Report
27 pages; PDF.