From the U.S. Government Accountability Office, www.gao.gov

Transcript for: The Harm of Data Breaches in Public K-12 Schools

Description: Schools collect and store a range of information about
students, including data on their grades and test scores, addresses and
phone numbers, Social Security numbers, and even medical information.
Disclosing this information could be harmful to students physically,
emotionally, and impact their long-term financial health. We talk with
GAO's Jackie Nowicki--an expert on K-12 education and school safety,
and a director in our Education, Workforce, and Income Security
Team--about a new GAO report on data breaches in public schools. 

Related GAO Work: GAO-20-644, Data Security: Recent K-12 Data Breaches
Show That Students Are Vulnerable to Harm

Released: October 2020

[Intro Music]

[Jackie Nowicki:] Schools, just like other organizations that collect a
lot of sensitive information, are susceptible to data breaches. 

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office--I'm Holly Hobbs. Schools collect and store a range of
information about students, including data on their grades and test
scores, addresses and phone numbers, Social Security numbers, and even
medical information. Disclosing this information could be harmful to
students physically, emotionally, and impact their long-term financial
health. 
Today we talk with GAO's Jackie Nowicki--an expert on K-12 education
and school safety, and a director in our Education, Workforce, Income
Security Team--about a new GAO report on data breaches in public
schools. Thank you for joining us Jackie! 

[Jackie Nowicki:] It's great to be here Holly.

[Holly Hobbs:] So Jackie, have there been data breaches at schools, and
how common is this? 

[Jackie Nowicki:] Schools, just like other organizations, have
experienced data breaches. But the real magnitude of those breaches is
difficult to know, and that's because schools may not be aware that
their data was breached, or they might not report the breach because
requirements to do so vary by state.  

[Holly Hobbs:] So, who is targeting school and student data, and what
are they after? 

[Jackie Nowicki:] So, we know that tens of thousands of students have
had their personal information compromised in almost 100 data breaches
at schools, from July 2016 through  early-May 2020. And we know that
staff and students are responsible for the large majority of reported
breaches. For example, we know that about one-third of them were caused
by teachers and staff, and most of those were accidental. In those
cases, for example, staff might make a mistake such as emailing
information to the wrong recipient. In another third, those were
perpetrated by students, and most of those were intentional. And
usually that was students trying to change grades for themselves or
other people. And students gained unauthorized access to data in a
variety of ways. So, for example, they might steal a teacher's login
information to a school system. 

[Holly Hobbs:] Do the schools that have had data breaches have any
characteristics in common? 

[Jackie Nowicki:] Larger, wealthier, and suburban districts reported a
disproportionate share of data breaches. For example, four of the five
largest school districts in the country had a reported breach. And this
could be because larger districts are a more attractive target than
smaller ones, or because they use more technology in schools--providing
more opportunities for breaches to occur. It could also be that these
kinds of districts are more likely to have the resources available to
them to identify and report that breaches occurred in the first place.

[Holly Hobbs:] And Jackie, because of COVID-19, we've got more kids in
classrooms using Internet to learn remotely rather than in-person. Is
this increasing the risk of data breaches? 

[Jackie Nowicki:] Well, some experts explained to us that, with
distance learning, students and teachers don't always have their
laptops or tablets connected to school networks like they usually do
when they are physically present at school. And that could provide some
level of protection because risks are confined to an individual's
device. But the introduction of new technology during the pandemic,
which was sometimes quickly deployed, presents important cybersecurity
concerns beyond data breaches. So, the most notable incidents were the
Zoom bombings that we all heard about last April and May. Some of which
exposed students to hate speech. Our analysis of the data breaches goes
through May 5 of this year; so, pretty early on--you know--in the
transition to distance learning. But we did find some differences in
reported breaches in April and May 2020 as compared to previous years.
So, for instance, we saw a decline in phishing incidents. And it
doesn't necessarily mean the risks have gone down. There are some
cybersecurity experts who are concerned that those kinds of attacks
have actually increased but are now going undetected.

[Music]

[Holly Hobbs:] So, we know schools are recording and storing data on
students that is important to their education and safety, but it sounds
like this data is also at risk of disclosure through cyberattacks or
other threats; and that there might be new risks as a result of
distance learning because of COVID-19. Jackie, is the Department of
Education or other federal agencies doing anything to help protect
students' data?

[Jackie Nowicki:] Several federal agencies are taking some steps to
help schools and school districts. For example, they are providing
resources that might help them prevent and respond to student data
breaches. The Department of Education shares best practices for helping
to train people--including, tips to prevent the inadvertent disclosure
of sensitive information over email. And some agencies created
resources to help schools address the evolving challenges related to
distance learning. 

[Holly Hobbs:] And Jackie, last question, what's the bottom line of
this report?

[Jackie Nowicki:] Well, schools, just like other organizations that
collect a lot of sensitive information, are susceptible to data
breaches. And whether those breaches are accidental or intention, they
can leave students vulnerable to financial or even physical harm. And
while we know that tens of thousands of students have had their
sensitive data breached, the real scope of the problem is really
difficult to know.

[Holly Hobbs:] That was Jackie Nowicki talking about GAO's recent
report on public school data breaches. Thank you for your time Jackie! 

[Jackie Nowicki:] My pleasure Holly. Great to be here.

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. And make sure
you leave a rating and review to let others know about the work we're
doing. For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at GAO.gov.