Schools more vulnerable to cybercrime, report finds

In an increasingly digital world, protection from cyberattacks is more important than ever – especially for schools.

Nowadays both K-12 schools and universities are common targets for cyber criminals since they are a wealth of sensitive information and generally have smaller security budgets.

A new report from KnowBe4, a cybersecurity group, explains why schools are targeted and what can be done to prevent data breaches.

“The trove of sensitive information stored on an educational institution’s servers makes it a prime target for cybercriminals,” the report says. “While they may not be the most lucrative victims, there are several factors that make intrusion and extortion for ransom easier than organizations or institutions that are financially stronger and better-equipped sectors.”

Especially in colleges security is difficult to maintain, with thousands of students, faculty and staff accessing school servers from a variety of networks on both professional and personal devices.  

Sensitive information such as home addresses, physical and mental health records and intellectual property can either be leaked or used to extort a ransom from targeted institutions.  

“As it turns out, the identity information of children is actually more valuable to [cybercriminals] than that of adults,” Doug Levin, director of K12 Security Information eXchange, told NPR.   

Hackers can use a child’s identity to take out loans and rack up debt, wrecking their credit score in the process, Levin explained. 

Just a few months ago, a third-party software service in North Carolina was hacked and forced to pay a ransom to prevent millions of students and teachers from having their private information leaked.  

And a 2023 breach in Colorado resulted in the leak of students’ and educators’ Social Security numbers and other data – even for those who participated in Colorado’s public school system as far back as 2004.  

Minneapolis Public Schools was also hacked in 2023. When the district refused to pay a $1 million ransom, hundreds of thousands of files about its 36,000 students were dumped online. The files contained highly private information about sexual assaults, hospitalizations, abusive parents and suicide attempts.  

Similar data breaches in New York and Los Angeles school districts have violated the privacy of countless students. 

According to Check Point Research, education is cybercriminals’ most targeted sector, followed by government, healthcare and medicine, and telecommunications.  

For example, in 2024, Verizon reported over 10,000 confirmed data breaches – 1,780 (or 17%) of which were against an educational institution. 

In the U.S., colleges often partner with the federal government for research purposes, and therefore have access to sensitive intellectual property such as defense technology. Hackers can then infiltrate the college’s less-secure system to obtain government information.  

But the problem isn’t unique to the U.S. Nearly half of the U.K.’s higher education institutions reported a cyberattack or a breach at least once a week.  

Microsoft reported North Korean groups have been targeting Asian colleges for decades, creating fake businesses or online games to gain access to private systems.  

Iranian groups also have attacked hundreds of American and international colleges, using stolen information for the benefit of Iran’s Islamic Revolutionary Guard Corps.  

“The most concrete, effective step that an educational institution can take to secure vital and sensitive data is to ensure that all individuals who access IT systems are equipped with the proper tools, education and awareness to protect against cyber threats and reduce human risk,” said Stu Sjouwerman, CEO of KnowBe4.  

Simple measures such as phishing simulations can train educators and students to be wary of suspicious emails and check for signs of fraud before clicking on links or unknown files.