Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records.
According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded – a dramatic rise from 139 in 2022 and 783 in 2021. This surge was primarily attributed to MOVEit file transfer software vulnerabilities, affecting over 800 institutions.
The number of records compromised in 2023 soared to nearly 4.3m, compared to approximately 2.6m in both 2021 and 2022. Among these, 1.7m records were compromised in third-party breaches, and 1.9m were affected by 65 ransomware attacks.
The Comparitech research, analyzing data from the past 19 years, identified key trends and hotspots for breaches in the education sector. Colleges and universities accounted for 60% of breaches, largely due to the MOVEit incident, and 83% of affected records originated from post-secondary institutions.
Cyber-attacks and ransomware have become the predominant causes of breaches, with third-party breaches also increasing due to significant incidents like those involving Blackbaud, Illuminate Education and MOVEit. The MOVEit breach alone impacted at least 802 educational institutions.
Read more on the MOVEit vulnerability: MOVEit Vulnerability Hits Delta Dental: 7m Records Exposed
The 2018 regulation changes by the US Department of Education mandated Title IV institutions to report any breach, regardless of the number of records affected, enhancing transparency. The largest breaches of 2023 included the University System of Georgia, which reported that 800,000 individuals were impacted by the MOVEit exploit.
In terms of state impact, New York reported the highest number of breaches (800), with California following at 401. However, California also had the largest number of records affected at more than 3.3m, closely followed by Arizona with nearly 2.9m. Texas led in K-12 student records breached, with over 1.7m records compromised.
Ransomware attacks predominantly hit K-12 schools, with 149 out of 246 tracked incidents since 2018 affecting this sector. Despite this, post-secondary institutions saw a higher volume of records impacted by such attacks, with 3.74m records breached compared to 1.53m in K-12 schools. North Dakota reported the highest rate of student records impacted per capita.
The top ten biggest breaches included notable incidents like the Maricopa County Community College District in 2013, affecting 2.49m records, and the Harvard Computer Society breach in 2017, impacting 1.4m records. Other significant breaches involved institutions like Georgia Tech and the University of California at Los Angeles.
In 2024, the first quarter saw a significant reduction in breaches, with only 16 incidents reported between January and March, affecting 58,400 records, suggesting a potential positive trend. However, the long-term outlook remains uncertain as cyber-attacks continue to evolve.