US schools have lost 24.5 million records in breaches since 2005


A report from Comparitech found that since 2005 K–12 districts and colleges/universities have been attacked more than 1,300 times.

Data security breach

gustavofrazao, Getty Images/iStockphoto

A report from Comparitech has looked into cyberattacks on educational institutions in the United States, finding that there have been more than 1,300 breaches since 2005 and more than 24 million records lost

Comparitech data researcher Sam Cook dug deeper into the data and discovered that every state besides Wyoming has reported at least one breach since 2005, with California and Arizona suffered from the most amount of records lost.  

While the numbers show that 2008 had the most education data breaches, these numbers are a bit skewed because the majority of states have only implemented breach notification laws in the last few years. It was only in 2018 that the federal Department of Education mandated that all Title IV institutions have to report all breaches regardless of size.  

The years with the most number of records lost were 2013 and 2017. The study data shows that public schools and universities often suffered from more breaches than private ones. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

“If we take a look at the number of breaches by US state, we can see that California had the most by far, accounting for 157 of the 1,328 breaches (11.8 percent),” the report found. “The list of worst-hit states also includes New York with 89, Texas with 79, Illinois and Ohio each with 60, and Florida with 58,” the study’s researchers state, adding that these numbers were not surprising because California, Texas, New York, Illinois, and Ohio are the biggest states in the country and have huge numbers of schools and students.  

California remains a hotspot, according to the report, “yet Arizona becomes one of the worst-hit states with only slightly fewer people affected in its breaches than California (2.83 million compared to 2.88 million). West Virginia and Georgia also display high numbers of records affected in contrast to the number of breaches with 1.3 million and 1.6 million records impacted, respectively. Other states with high numbers of records exposed or stolen in breaches include Ohio (1.4 million), Massachusetts (1.7 million), and Florida (1.6 million).”

The report finds vast differences between the states with a high number of attacks on K-12 schools and those with more breaches at colleges or universities. 

Texas, California, Illinois, New York and Florida had the highest number of breaches at K-12 schools from 2005 to 2020 but some states, like Nevada, still had large numbers of records lost despite low amounts of breaches. 

The study notes that Nevada’s high number of records lost can be attributed in no small part to two specific breaches that took place in Washoe County and Clark County. The two counties lost 114,000 and 559,487 records, respectively, in their school districts as part of the Pearson Education data breach, which affected dozens of schools across the country. 

According to the study and news reports, the hack involved a breached student assessment tool created by Pearson’s AIMSweb and exposed the information of thousands of students. The tool was breached, leaving some personally identifiable student information exposed at more than 13,000 schools.

In an email interview, Cook said states like California, Texas, and Florida had high numbers because of their huge populations, number of colleges, and size of K-12 school districts, making them attractive targets. 

“New York is an interesting case, though,” Cook said. “Although its college and K-12 size is among the top, and it’s experienced a large number of data breaches as a result, it’s collectively lost very few for the number of data breaches it’s had. We haven’t spoken to any CIOs anywhere, but I would chance a guess that New York’s more centralized college system, in particular, is the reason why they’ve seen fewer losses as a result.” 

“They likely implement the same mitigation standards across all of their higher ed institutions, whereas most other states’ college and universities aren’t as centrally controlled,” Cook added. “Here and there, a few data breaches across the US are an issue of poor IT infrastructure or unintentional disclosures due to some severe oversights that leave data exposed.”

California leads in breaches and records lost

When it comes to attacks on colleges, the study found that California’s numbers were far and away higher than any other state, doubling and sometimes tripling the amount of breaches and records lost.

According to Cook’s research, California accounted for 12.2% of the 985 college data breaches and 10.6% of the 21.5 million records impacted. New York came in second with more than 60 breaches and almost half a million records lost. Six states had more than one million records lost through breaches: Florida, Arizona, Massachusetts, Georgia, Ohio, and Washington. 

Cook honed in specifically on Arizona, which had a large number of records lost in comparison to the paltry number of breaches. 

“This arises from a large breach which affected almost 2.5 million records from Maricopa Community Colleges. The college system came under fire due to the length of time it took to notify those involved (seven months). The cleanup reportedly cost $26 million,” Cook wrote.

The study also has valuable data on the percentage of schools in each state that suffered breaches, finding that while California had outsized numbers, relatively smaller states had higher percentages of schools hit between 2005 and 2020. 

Cook also breaks the numbers down by records lost per breach, finding that public K-12 schools lost 8,847 records per breach while public colleges or universities lost 25,312 records per breach. Private K-12 schools had 3,657 records affected per breach and private colleges or universities lost 14,046 records per breach.

Almost half of all incidents involved hacking but a sizable amount of breaches happened because of unintentional disclosures by the institutions or theft or loss of portable devices. The biggest breaches since 2005 were the 2013 Maricopa County Community College District Data Breach, which resulted in 2.49 million records lost and the 2017 Harvard Computer Society breach involving 1.4 million lost records.

Colin Bastable, CEO of security awareness training company Lucy Security, said schools are particularly vulnerable because most people working for educational institutions don’t expect to be victims.

He added that schools need to make greater investments in security and teach their staff how to stay cybersafe at work and at home.

“Hackers are very smart, and very highly motivated, whereas staff are focused on school life and their public service. It is an uneven battle. The public sector is generally less well-equipped to defend against cybercrime,” Bastable said.  

“In my tests and demonstrations with customers and prospects, 30% of phishing emails get straight through state and local firewalls, compared to 10% of simulated attacks on the private sector. A lot of state and local money is now spent on teacher pensions, depriving school districts of the financial wherewithal to invest in cyberdefense, forcing security teams to make hard spending decisions. Ninety-seven percent of losses are initiated by social engineering, over 90% by email, and up to 30% of untrained school staff have a very high propensity to unwittingly open the door to hackers.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

K-12 schools use AI and automation to customize lessons and pivot from in-person to online classes


Edtech company Edmentum has built a virtual assistant to help teachers master new education platforms quickly.

Image: Getty Images/iStockphoto

One of the oldest online learning companies in the US is using automation and artificial intelligence (AI) to help educators and school districts keep teaching during the coronavirus epidemic. Edmentum has been building online learning programs since the 1960 when the company got its start at the University of Illinois. 

The company creates online learning classes and management platforms for K-12 schools and works with 8,000 districts in the US and the UK. Paul Johansen, Edmentum’s CTO, said that most schools are preparing for a hybrid model of education for the upcoming school year, due to  COVID-19. 

“Schools need to be able to flip the switch between in the building or out because they may move from in-school to out for unknown periods of time,” Johansen said.


Johansen said that Edmentum has seen two general approaches to managing online education for K-12 students. Some school districts are leveraging online platforms such as Google Classroom to keep teaching students during work-at-home orders due to the coronavirus. Others are taking a more comprehensive approach to online learning by using digital tools for curriculum planning and assessments.

SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)

Johansen added that there’s no one specific approach, and that schools are creating instruction plans that fit their own needs and resources. Most school districts in the US also have to consider access to an internet connection as many students in rural areas do not have connectivity at home.


“Some districts are moving back to paper-based work or non-tech dependent solutions to ensure equity,” he said.

Keeping up with changing state standards across the US

Subject matter experts at Edmentum track changing standards for K-12 education at the state level in the US. The Common Core was used by many states for a few years, but it has fallen out of favor  recently. Edmentum relies on automation to customize online curriculums to meet the requirements in each state. 

“There are differences across the states, but there’s a common skills framework,” Johansen said. “That’s where we build in as much automation into the process as we can.”

For example, skip counting is part of the math standard in many states, but the Indiana standard may expect elementary students to skip count by fives, while the Tennessee standard specifies skip counting by tens.

“An author on our staff creates a generic math question, and then an automation algorithm creates the variations on that question,” he said.

Edmentum’s Study Island product tracks these state-by-state standards and then creates practice problems, quizzes, and tests that can be customized for each student.

Digital curriculum planning can help teachers build and track a personalized learning plan for each student. Johansen said that test scores from standardized assessments are used to customize math lessons for kids who are working at, above, or below grade-level expectations.


“In one class, a teacher may have 10 students on track, 10 ahead, and 10 one or two grade levels behind on math skills,” he said. “We can use adaptive tech to help one student push ahead and go back to essentials with another student.”

Teachers can use these customized plans to keep the whole class on track to meet state expectations for students at that grade level.

Encouraging data standards

The key to using test scores to guide instructional plans and data sharing across systems has been a challenge until recently. The Family Educational Rights and Privacy Act (FERPA) governs student data and how it can be shared. The Ed-Fi Alliance is one of several advocacy groups that is working on common standards to make it easier to share testing data across schools and information systems.

Johansen said that over the last two years, edtech companies and education advocates have been focused on using artificial intelligence to analyze student data. has a list of voluntary guidelines that cover how to use this data. The Future of Privacy Forum and The Software & Information Industry Association are working on an update to the pledge, that was first developed in 2014.

Onboarding help via a virtual assistant

To help teachers learn now to onboard students and find state standards for various subjects, Edmentum is developing an artificial intelligence engine to power a virtual assistant as part of the online curriculum platform.


“Instead of a teacher having to learn the product, he or she can have a conversational chat with a virtual advisor,” Johansen said. “We have reduced the general onboarding flow from 27 minutes to just over four minutes.”

Data, Analytics and AI Newsletter

Learn the latest news and best practices about data science, big data analytics, and artificial intelligence.
Delivered Mondays

Sign up today

Also see