Are data breaches in schools going undetected?

Posted April 27th, 2018 by Nigel Peers

Teacher writing With the EU General Data Protection Regulation (GDPR) due to be enforced in May, it is perhaps no surprise that cybersecurity and data protection have become widely discussed issues in the education sector and beyond. Recent research by NW Security Group has revealed that 16% of education institutions in the North West of England have experienced a data breach.

At first glance, this seems like a surprisingly low figure, especially within the education sector where during the first half of 2017, data breaches skyrocketed an astonishing 103%, with 118 successful, known attacks on education institutions1. With such a dramatic and sudden increase, it is a little difficult to understand that so few schools, colleges and universities in the North West bucked the trend and avoided a data breach.

Could there be something else at play here?

Breach detection is a problem

Statistics have shown us that there appears to be a lag time between a breach occurring, and a breach being discovered. According to the Verizon 2018 Data Breach Investigation Report, 68% of data breaches took months, or even years, to discover2. An example of this came in 2016 where, due to human error, the University of Greenwich posted sensitive personal details about hundreds of research students on its website, including medical and mental health data. The breach went unnoticed until highlighted by a student3

This is because intruders are, of course, deliberately attempting to avoid detection during an attack to maintain unauthorised system access for as long as possible. This will allow them to explore and exploit a system fully to extract the maximum amount of data possible, and to return if vulnerabilities are not identified and secured.

But there could be another issue at play here. A more accurate assessment of the survey result would be that only 16% of educational institutions currently realise that they have fallen victim to a breach, because of a lack of understanding about what constitutes a data breach. Not all data breaches are cyberattacks – they can also result from accidental data loss or inadequate data protection processes.

Awareness for educators

It is clear, then, that increased education around the potential threats schools, colleges and universities are facing is crucial. In Hampshire, a pupil managed to hack into his school’s website and expose the personal details of over 20,000 people, including photos and medical details of 7,600 pupils and personal details of 13,000 adults4. Despite having a policy in place prohibiting the use of duplicate passwords, the data controllers failed to realise that staff members were deploying the same passwords to access both the school’s web and management systems.

If this breach were to occur after the GDPR’s implementation, it is certain that the ramifications would have been much more severely felt. It is a great concern that, so close to GDPR’s implementation, data could be being harvested from these institutions right now without them even realising it, leading to potentially severe fines if reported to the Information Commissioner’s Office, as well as reputational damage. It is the staff that are a facility’s first line of defence, and their strongest asset if trained correctly on how to identify, and possibly even prevent, a breach from occurring. That is why educating the educators regarding the security threats they face today is so important.

Discover our professional security training, that empowers your staff to operate and react effectively to successfully identify and mitigate a data breach.

1https://edtechmagazine.com/higher/article/2017/12/education-sector-data-breaches-skyrocket-2017
2https://www.verizonenterprise.com/verizon-insights-lab/dbir/
3http://www.bbc.co.uk/news/technology-35587529
4https://www.theguardian.com/technology/2011/aug/09/pupil-hacked-hampshire-school-website

Leave a Reply

Your email address will not be published. Required fields are marked *