The education sector was responsible for at least 172 data breaches in 2021, making it the second most vulnerable to security incidents.
Only the public sector (263) suffered more publicly disclosed data breaches last year, according to data from our sister company IT Governance, which reviewed more than 1,000 security incidents across the year.
This should cause huge concern for schools and other educational institutes, because most of those incidents would have related to children, whose data is subject to specific protections under the GDPR (General Data Protection Regulation).
As such, any educational institute that fails to adequately protect personal data not only risks harm to the affected individuals but could also face strict penalties, including a substantial fine.
The GDPR also states that data controllers can be held accountable for security incidents that occur at third-party organisations.
This means, for example, that if an educational institute outsources a data processing task to a private firm which then compromises that data, both organisations could be liable under the GDPR.
You can find information and guidance about data breaches in the education sector in our free green paper Cyber Security 101 – A guide for schools.
It also contains essential guidance on what your school must do to protect its systems, and debunks six common cyber security myths.
How are data breaches occurring?
When a data breach is publicly disclosed, organisations don’t always know, or aren’t obliged to say, what caused it.
But where this information was known, ransomware was the most common cause of breaches among schools, accounting for 41% of all incidents.
IT Governance’s report found 70 ransomware attacks against schools in total, demonstrating the challenges that schools have faced during the COVID-19 pandemic. With campuses closed due to lockdown restrictions, classes and other activities were done online, bringing with it the requirement for new technologies.
This increased the threat surface, adding new potential vulnerabilities that cyber criminals could exploit. It also made schools a more attractive target. Criminal hackers were aware how important it was to have access to technology and reasoned that education institutes would be more willing to pay an extortion demand if they were exploited.
Of course, this isn’t an issue that’s exclusive to the education sector. Ransomware accounted for 401 security incidents, which represents a 39% increase on the previous year and 32% of all security incidents in 2021.
Another common cause of data breaches at schools was internal error. The report found 19 such cases, which includes any incident in which an employee exposes sensitive information by mistakes. This might be a result of emailing records to the wrong person or misconfiguring a database online.
In more positive news, there were only four reported cases of data breaches resulting from a malicious insider. These breaches occur when a pupil or employee sabotages the organisation by misappropriate or leaking sensitive information.
These breaches can sometimes be relatively harmless, with a pupil hacking into the school’s system to deface a website. However, they can sometimes have more sinister and harmful effects.
Malicious insiders are often motivated by revenge, which is most likely to occur when an employee has been fired or feels unvalued in their work. They will compromise data to deliberately cause problems for the organisation – but if children’s personal information is affected, the harm will be far greater than simply reputational damage.
How else can you protect your school?
You can find more tips on how to prevent data breaches by reading Cyber Security 101 – A guide for schools.
This free green paper gives an overview of the threat landscape and explains how schools can secure their systems.
You’ll learn why things such as risk assessments, staff training and access controls are essential, and discover the first steps toward bolstering your security defences.