GAO Examines K-12 Breaches, Finds PII Risks

Cyber incidents at K-12 schools over the last few years have put the personally identifiable information (PII) of students at risk, with breaches primarily resulting from intentional actions by students and unintentional actions by staff, according to a recent Government Accountability Office (GAO) report.

The report, requested by Rep. Virginia Foxx, R-N.C., reviewed 99 incidents where K-12 student data was breached from 2016 to May 2020, and found common trends among the incidents. One of those trends was that that the largest source of breaches came from deliberate student actions – 27 of those cyber events were a result of students while cybercriminals only accounted for six breaches. The second largest source of incidents was accidental staff actions, which accounted for 21 breaches of student data.

“Though reports of breaches by cybercriminals or by vendor error were rare, those breaches affected large numbers of students, sometimes across multiple districts,” the report cautions, including incidents where cybercriminals intentionally targeted PII.

GAO also emphasized that while it only reviewed the 99 incidents where student data was confirmed to be breached, there are likely many more that put student data at risk.

“Reported incidents sometimes do not include sufficient information to discern whether data were breached. We identified 15 additional incidents in our analysis of CRC data in which student data might have been compromised, but the available information was not definitive,” GAO writes.

The report also found that reported student data breaches are more common in mid-sized and larger districts, districts with lower levels of student poverty, and suburban districts.