When people think about student data at K-12 schools being compromised, they tend to envision things such as test scores and grades being shared publicly.
While that type of information getting out is unfortunate, it’s minor compared to other problems a data breach can cause students.
“What has surprised people is that students themselves can be valuable targets for financial reasons,” says Doug Levin, co-founder and national director of the K12 Security Information eXchange, a nonprofit dedicated to protecting K-12 schools from emerging cybersecurity threats.
“Students, particularly younger students, have pristine credit and tax records,” he says, which make an enticing target.
This also makes students especially vulnerable to identity theft crimes that can occur after a school becomes the victim of a successful cyberattack. The value of student personal data is part of the reason school cyberattacks are increasingly common. In one 2023 survey of school IT leaders, 80% said their school was hit by ransomware attacks in the past year.
School IT leaders have devoted greater resources and efforts to preventing these attacks with staff training and more stringent security requirements, such as two-factor authentication. But the dangers an attack poses to students, and the role students need to play in order to help protect school networks, still isn’t always fully appreciated, Levin says.
Why Cyber Criminals Target Student Data
In addition to pristine credit records, students are at greater risk when their identities are stolen because nobody checks their spending activity.
“They don’t have anyone watching their credit records, and as a result, they can end up being abused for years until a student maybe applies for a college loan or tries to rent an apartment or buy a car,” Levin says. “Unfortunately, we have seen instances with students as young as first grade being subject to identity theft arising directly from a school cyber security incident.”
Multiple Ways For Student Data to Be Compromised
Just because a school network requires two-factor authentication for staff, it doesn’t mean that its network is safe from hackers. Even though student accounts don’t have the same rights and privileges as teacher and staff login accounts, there have been instances in which educators have unintentionally shared sensitive student data in environments that students can access, which can poise major risks, Levin says.
“If a threat actor was able to guess or somehow get the login information for a student account, they are able to then get to sensitive data and exfiltrate it, and either abuse that information or try to extort the school district to keep it from being abused,” he says.
Another way student data can become compromised is through scams that target students directly.
“One of the more frequent ones we’ve seen has been fake employment offers,” Levin says. These often take the form of a great job offer that is contingent on the student providing various forms of personal information for processing purposes. When students fall for this, their personal data can be compromised.
How Students Can Help Protect Their Own Data
“People have started to realize that educating staff about phishing scams and raising their cybersecurity awareness is important because the way so many of these attacks against school systems are successful is via phishing employees,” Levin says. “But students themselves are potentially a vector for these sorts of attacks against school districts and they’re also at risk themselves, and this highlights that they need to be an audience for these trainings themselves.” He adds this training should happen at a young age for students as children are getting online earlier and earlier.
Levin also makes it clear that he doesn’t believe protecting student data should be up to schools alone. Edtech companies should provide more data protection for all student-facing products out of the box, he says, “so we don’t need more expensive licenses to get core security features that we need to protect our school communities.”
In general, education also needs more funding to address cybersecurity and student data privacy concerns.
“Schools do need more resources and support and help from state and also the federal government,” Levin says. “It’s important that folks understand this isn’t an individual school system issue. This is a sector-wide issue, and we really need more support and help from the government.”