10,000 Breaches Later: Top Five Education Data Breaches

According to the National Center for Education Statistics (NCES), about 56.6 million students are attending school this fall. The NCES also reports that there are 3.7 million teachers currently in the United States. That is over 60 million students and teachers spending their time inside of schools, on their Wi-Fi, online programs and much more. Data breaches that affect students and teachers are not uncommon, although education ranked lowest of the five industry sectors that the Identity Theft Resource Center (ITRC) records in 2018 with 76 education data breaches exposing 1,408,670 records. However, 2017 was a different story. According to the ITRC’s 2018 End-of-Year Data Breach Report, in 2017 there were 128 education data breaches exposing 1,418,455 records. So far in 2019, there have been 104 breaches exposing 2,248,578 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter. While the education sector is not seeing as many breaches as some of the other industry categories, the ITRC believes that one breach is one too many. That is why we continue to empower identity theft victims – particularly those that are victims of education data breaches – with the resources to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we looked at the top banking, credit and financial data breaches. This week we conclude our blog series with a look at the top five education data breaches that impacted U.S. teachers, students and families and their personal information that was compromised.

Maricopa County Community College District

Following a data breach incident in January 2011, Maricopa County Community College District experienced another education data breach in 2013 that led to personal information like names, addresses, Social Security numbers, dates of birth and financial aid information being exposed. The breach affected 2.5 million current and former students, employees and vendors. In January 2011, the district was first notified by the FBI of a small data breach affecting 400 people. Information from its database was found online for sale, and the FBI warned the district that it needed to properly secure its systems. Ten months later the district was warned, once again, this time after the Arizona Auditor General found that terminated employees still had active user accounts on the district’s network. One year later an audit found that the district had still not tightened up its security procedures. This led to the breach in 2013 which discovered, once again, sensitive information had been found for sale online. The impact on those teachers and students was potentially catastrophic given the amount of sensitive information and data compromised. This education data breach also highlights the importance of businesses and schools to take their security measures seriously.

Georgia Tech

In April 2019, Georgia Tech announced that nearly 1.3 million current and former faculty members, students, staff and student applicants had been affected by an education data breach that was caused by unauthorized access to a web application. Information compromised included names, addresses, dates of birth and Social Security numbers. The university has taken steps since to help people who were affected by offering credit monitoring and identity theft protection services to individuals who had their Social Security number exposed. Faculty members and students should be aware of the sensitive nature of their data and the potential unique identity theft aspects that could come from its exposure.

Washington State University – Social & Economic Science Research Center

Two years prior to the Georgia Tech education data breach, Washington State University learned that a locked safe containing a hard drive used by the Social & Economic Science Research Center to store backed-up files had been stolen. The hard drive contained a wide range of sensitive information on 1.1 million individuals including demographic information, Social Security numbers and personal health information. In April of 2019, the university reached a $4.7 million settlement where victims were entitled to receive up to $5,000 in cash reimbursements for any out-of-pocket expenses incurred, credit monitoring services or credit reports. This breach stresses the importance of making sure schools and universities have guidelines and measures in place to make sure that all student and faculty information is securely protected and that there is no risk of it being stolen, whether online or from a safe.

University of California Los Angeles (UCLA)

In October 2006, UCLA was hit by a cyber-attack allowing a hacker to gain access to a restricted database containing sensitive information of 800,000 current and former students, faculty and staff. The database included names, addresses, dates of birth and Social Security numbers. While this breach affected less than five percent of the records in the database, it was still one of the largest education data breaches at that time. While the university said there was no evidence of any personal information being misused, they suggested those possibly affected contact credit reporting agencies and take steps to minimize the risk of potential identity theft.

Pearson

Initially reported in July 2019, educational software maker, Pearson, experienced a data breach affecting its AIMSWeb 1.0 platform. Roughly 13,000 school and university accounts were affected by this breach. However, this number does not include the individual students and staff members whose information was contained in each account. Although the information exposed varies per account, information like student names, student dates of birth, student email addresses, student ID numbers, staff names, staff email addresses, job titles and more was exposed. In an interview with the Las Vegas Review-Journal, ITRC president and CEO, Eva Velasquez said, fortunately, the information exposed was limited: “Just a name is not going to necessarily lead to an increase in the risk of identity theft. A name and date of birth could potentially lead to a slight increase. But as far as very serious personal identifying information, it does not appear that this breach contains that level of data.” School districts are continuing to come forward to report being affected by the Pearson breach. As we recap education data breaches, the ITRC hopes to help those impacted – both as faculty members, students, schools and universities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just set it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a school or university that has been impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach. For a complete look at all the blogs from the 10,000 Breaches Later blog series, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series. Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like… 10,000 Breaches Later: Top Five Financial, Credit and Banking Data Breaches 10,000 Breaches Later: Top Five Military and Government Data Breaches 10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches