Federal watchdog finds escalating cyberattacks on schools pose potential harm to students

The Government Accountability Office (GAO), a federal watchdog agency, on Thursday published findings concluding that an increasing number of cyberattacks on educational institutions were putting students increasingly at risk. 

As part of a report finalized last month but made public Thursday, GAO concluded that “recent K-12 breaches show students are vulnerable to harm,” specifically pointing to the impact of malicious cyber incidents on the security of student data. 

GAO relied on data from the K-12 Cybersecurity Resource Center (CRC) to evaluate the impact of cyberattacks on student data. The CRC has recorded more than 1,000 cyber incidents involving K-12 institutions in the United States since 2016, including ransomware and denial-of-service attacks. 

Based on this data, the agency concluded that thousands of students were potentially negatively impacted by around 100 data breaches over the past four years, with academic records the most often type of data compromised, along with other personal identifying information, including Social Security numbers, also exposed. 

GAO cited evidence from cybersecurity and financial experts, noting that some of the student data compromised was subsequently sold on the black market, causing “some students significant financial harm.”

“Although the number of students affected by a breach was not always available, examples show that thousands of students have had their data compromised in a single breach,” GAO wrote. 

Rep. Virginia Foxx (R-N.C.), the ranking member of the House Education and Labor Committee, requested the study, with GAO writing to Foxx in a letter contained in the report that “disclosing a student’s personal information can potentially lead to physical, emotional, and financial harm.”

The agency cited increasing cyberattacks on schools and school districts prior to the COVID-19 pandemic as an problem, but also noted the uptick in cyber threats faced by educational institutions after students moved to remote learning, such as “Zoom bombing.” These attacks are made when an individual or group is able to interrupt classes held on video conferencing service Zoom.

“As schools and districts increasingly rely on complex information technology systems for teaching, learning, and operating, they are collecting more student data electronically that can put a student’s information, including PII, at risk of disclosure,” the agency wrote in the report. “The closure of schools and the sudden transition to distance learning across the country due to the Coronavirus Disease 2019 (COVID-19) pandemic also heightened attention on K-12 cybersecurity.”

Educational institutions have been increasingly targeted by malicious cyber actors, with classes disrupted even before the COVID-19 pandemic. The school district in Flagstaff, Ariz., was forced to delay classes for a few days last year due to a cyberattack, while a coordinated attack temporarily disabled multiple school districts in Louisiana in 2019. 

More recently, online classes in the Miami-Dade County Public School District were temporarily interrupted by a Distributed Denial-of-Service attack, with another attack hitting the school district in Fairfax County, Va. 

Lawmakers on Capitol Hill have taken notice of the escalating attacks on educational institutions, introducing multiple bills to attempt to funnel cybersecurity resources to schools, along with other state and local groups, to prevent and respond to cyberattacks.