September 27, 2021

News

News Network

Data Security: Recent K-12 Data Breaches Show That Students Are Vulnerable to Harm

10 min read
<div>A cybersecurity incident is an event that actually or potentially jeopardizes a system or the information it holds. According to GAO's analysis of K-12 Cybersecurity Resource Center (CRC) data from July 2016 to May 2020, thousands of K-12 students were affected by 99 reported data breaches, one type of cybersecurity incident in which data are compromised. Students' academic records, including assessment scores and special education records, were the most commonly compromised type of information (58 breaches). Records containing students' personally identifiable information (PII), such as Social Security numbers, were the second most commonly compromised type of information (36 breaches). Financial and cybersecurity experts say some PII can be sold on the black market and can cause students significant financial harm. Breaches were either accidental or intentional, although sometimes the intent was unknown, with school staff, students, and cybercriminals among those responsible (see figure). Staff were responsible for most of the accidental breaches (21 of 25), and students were responsible for most of the intentional breaches (27 of 52), most frequently to change grades. Reports of breaches by cybercriminals were rare but included attempts to steal PII. Although the number of students affected by a breach was not always available, examples show that thousands of students have had their data compromised in a single breach. Responsible Actor and Intent of Reported K-12 Student Data Breaches, July 1, 2016-May 5, 2020 Notes: The actor or the intent may not be discernible in public reports. For this analysis, a cybercriminal is defined as an actor external to the school district who breaches a data system for malicious reasons. Of the 287 school districts affected by reported student data breaches, larger, wealthier, and suburban school districts were disproportionately represented, according to GAO's analysis. Cybersecurity experts GAO spoke with said one explanation for this is that some of these districts may use more technology in schools, which could create more opportunities for breaches to occur. When a student's personal information is disclosed, it can lead to physical, emotional, and financial harm. Organizations are vulnerable to data security risks, including over 17,000 public school districts and approximately 98,000 public schools. As schools and districts increasingly rely on complex information technology systems for teaching, learning, and operating, they are collecting more student data electronically that can put a student's information, including PII, at risk of disclosure. The closure of schools and the sudden transition to distance learning across the country due to the Coronavirus Disease 2019 (COVID-19) pandemic also heightened attention on K-12 cybersecurity. GAO was asked to review the security of K-12 students' data. This report examines (1) what is known about recently reported K-12 cybersecurity incidents that compromised student data, and (2) the characteristics of school districts that experienced these incidents. GAO analyzed data from July 1, 2016 to May 5, 2020 from CRC (the most complete source of information on K-12 data breaches). CRC is a non-federal resource sponsored by an educational technology organization that has tracked reported K-12 cybersecurity incidents since 2016. GAO also analyzed 2016-2019 Department of Education data on school district characteristics (the most recent available), and interviewed experts knowledgeable about cybersecurity. We incorporated technical comments from the agencies as appropriate. For more information, contact Jacqueline M. Nowicki at (617) 788-0580 or nowickij@gao.gov.</div>

What GAO Found

A cybersecurity incident is an event that actually or potentially jeopardizes a system or the information it holds. According to GAO’s analysis of K-12 Cybersecurity Resource Center (CRC) data from July 2016 to May 2020, thousands of K-12 students were affected by 99 reported data breaches, one type of cybersecurity incident in which data are compromised. Students’ academic records, including assessment scores and special education records, were the most commonly compromised type of information (58 breaches). Records containing students’ personally identifiable information (PII), such as Social Security numbers, were the second most commonly compromised type of information (36 breaches). Financial and cybersecurity experts say some PII can be sold on the black market and can cause students significant financial harm. Breaches were either accidental or intentional, although sometimes the intent was unknown, with school staff, students, and cybercriminals among those responsible (see figure). Staff were responsible for most of the accidental breaches (21 of 25), and students were responsible for most of the intentional breaches (27 of 52), most frequently to change grades. Reports of breaches by cybercriminals were rare but included attempts to steal PII. Although the number of students affected by a breach was not always available, examples show that thousands of students have had their data compromised in a single breach.

Responsible Actor and Intent of Reported K-12 Student Data Breaches, July 1, 2016-May 5, 2020

Notes: The actor or the intent may not be discernible in public reports.

For this analysis, a cybercriminal is defined as an actor external to the school district who breaches a data system for malicious reasons.

Of the 287 school districts affected by reported student data breaches, larger, wealthier, and suburban school districts were disproportionately represented, according to GAO’s analysis. Cybersecurity experts GAO spoke with said one explanation for this is that some of these districts may use more technology in schools, which could create more opportunities for breaches to occur.

Why GAO Did This Study

When a student’s personal information is disclosed, it can lead to physical, emotional, and financial harm. Organizations are vulnerable to data security risks, including over 17,000 public school districts and approximately 98,000 public schools. As schools and districts increasingly rely on complex information technology systems for teaching, learning, and operating, they are collecting more student data electronically that can put a student’s information, including PII, at risk of disclosure. The closure of schools and the sudden transition to distance learning across the country due to the Coronavirus Disease 2019 (COVID-19) pandemic also heightened attention on K-12 cybersecurity.

GAO was asked to review the security of K-12 students’ data. This report examines (1) what is known about recently reported K-12 cybersecurity incidents that compromised student data, and (2) the characteristics of school districts that experienced these incidents.

GAO analyzed data from July 1, 2016 to May 5, 2020 from CRC (the most complete source of information on K-12 data breaches). CRC is a non-federal resource sponsored by an educational technology organization that has tracked reported K-12 cybersecurity incidents since 2016. GAO also analyzed 2016-2019 Department of Education data on school district characteristics (the most recent available), and interviewed experts knowledgeable about cybersecurity. We incorporated technical comments from the agencies as appropriate.

For more information, contact Jacqueline M. Nowicki at (617) 788-0580 or nowickij@gao.gov.

News Network

  • Elections in El Salvador
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Defense Headquarters: Guidance Needed to Transition U.S. Central Command’s Costs to the Base Budget
    In U.S GAO News
    What GAO Found GAO analysis of U.S. Central Command's (CENTCOM) and its service component commands' data shows considerable increases in the number of authorized positions over the past decade. The Department of Defense (DOD) is planning reductions, but the extent of these reductions has not been finalized. The number of authorized military and civilian positions at CENTCOM grew about 70 percent from almost 1,590 in fiscal year 2001 to almost 2,730 in fiscal year 2013, primarily driven by increases in the number of positions within CENTCOM's intelligence directorate and its theater special operations command. However, focusing solely on trends in authorized military and civilian positions provides an incomplete picture of the personnel dedicated to CENTCOM because the command relies heavily on temporary personnel and contractors to augment its headquarters. GAO analysis of CENTCOM's data found that the command headquarters had about 550 temporary personnel, who officials stated are primarily responsible for supporting the command's operations in Afghanistan and do not fill any permanent authorized positions, and 1,100 contractor personnel in fiscal year 2013. Additionally, GAO found that authorized military and civilian positions at CENTCOM's Army and Marine Corps service component commands had also increased. In response to the Secretary of Defense's direction to reduce headquarters spending, DOD is planning to decrease personnel at CENTCOM and its service component command headquarters. For example, CENTCOM is planning to reduce its total authorized positions by 353 positions from fiscal years 2015 through 2019. As DOD's headquarters reduction efforts continue and contingency operations in Afghanistan wind down, the department has recognized that CENTCOM and its service components' have enduring headquarters costs that are expected to continue after ongoing operations end, but the majority of the costs to operate and support CENTCOM, two of its service component commands, and its theater special operations command headquarters are funded with overseas contingency operations appropriations. For example, CENTCOM's Marine Corps service component command funded $34 million out of a total of $42 million in headquarters costs in fiscal year 2013 with overseas contingency operations appropriations. CENTCOM and its components have determined some of these costs are enduring and expected to continue after the end of contingency operations, such as for Isa Air Base in Bahrain, but the military services have not transitioned or developed a time frame to transition these enduring costs to DOD's base budget. DOD's base budget contains the department's priorities for allocating resources. DOD officials stated that the department has not issued guidance that addresses how to fund these costs or established a time frame for when to transition them from DOD's overseas contingency operations budget to its base budget because DOD is waiting on decisions about future military involvement in Afghanistan. Officials also stated that the constrained fiscal environment has contributed to the department's reluctance to transition overseas contingency operations costs to DOD's base budget. However, without guidance that addresses how to pay for enduring headquarters costs funded by overseas contingency operations appropriations and a time frame to transition these costs to DOD's base budget, DOD may not be able to fully resource these activities once the funding decreases or ceases. Why GAO Did This Study CENTCOM is one of six geographic combatant commands that DOD operates to perform its military missions. CENTCOM's geographic region is composed of countries located in the Middle East, North Africa, and Central and South Asia. CENTCOM and each of its service component commands' headquarters are composed of military and civilian personnel and receive millions of dollars in funding each year to accomplish assigned missions. GAO was mandated to review CENTCOM's resources. This report (1) identifies trends in personnel devoted to CENTCOM and its service component commands since fiscal year 2001 and any steps DOD is planning to take for reducing personnel in the future, and (2) assesses how DOD funds CENTCOM and its service component commands' headquarters costs. GAO analyzed data on authorized positions, temporary personnel, and headquarters costs for CENTCOM and its service component commands from fiscal years 2001 through 2013. GAO also interviewed DOD officials about commands' resources and plans for funding headquarters costs.
    [Read More…]
  • United States Joins Intergovernmental Forum on Mining
    In Crime Control and Security News
    Office of the [Read More…]
  • Secretary Antony J. Blinken And Ukrainian Foreign Minister Dmytro Kuleba Before Their Meeting
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Judiciary Releases Annual Report and Judicial Business 2020
    In U.S Courts
    Along with the rest of America, the Judiciary confronted significant challenges in 2020, led by the need to meet its constitutional obligations amid a deadly global pandemic. Federal courts learned to keep operations going, despite restricted access to courth­ouses, with a quickly evolving reliance on technology and the resilience of a 30,000-strong workforce, according to the Annual Report of the Director Administrative Office of the U.S. Courts (AO).
    [Read More…]
  • Final Defendant Sentenced to More than 17 Years in MS-13 Case
    In Crime News
    An MS-13 gang member was sentenced Tuesday to more than 17 years in federal prison for his role in a brutal machete attack at an apartment complex in Dallas, Texas.
    [Read More…]
  • JPL Mission Breaks Record for Smallest Satellite to Detect an Exoplanet
    In Space
    About the size of a [Read More…]
  • Military Service Uniforms: DOD Could Better Identify and Address Out-of-Pocket Cost Inequities
    In U.S GAO News
    While the military services—Army, Navy, Marine Corps, and Air Force—provide an annual clothing allowance to replace uniform items initially issued to enlisted service members, GAO found that some items are excluded from the allowance. This can result in out-of-pocket costs for both female and male enlisted service members. Moreover, DOD's uniform allowance policy does not provide the services with consistent criteria for designating which items are considered uniquely military and included in the allowance, and which items are not and are excluded from the allowance. For example, the Air Force and Marine Corps provide an allowance for an all-weather coat, but the Army does not. We found these differences in replacement allowances can also contribute to differences in out-of-pocket costs by service and gender for enlisted service members (see figure). Developing consistent criteria for uniquely military items and periodically reviewing uniform replacement allowances could strengthen DOD's ability to identify and address any out-of-pocket cost differences across the services as well as between female and male enlisted service members. Number and Total Value of Fiscal Year 2020 Enlisted Service Member Clothing Items Included in the Initial Clothing Issue but Excluded from the Services' Calculations for Standard Cash Clothing Replacement Allowances, by Service and Gender The military services made numerous uniform changes over the past 10 years and the changed uniform items were generally more expensive. GAO found that Navy and Marine Corps female enlisted service members and officers were most affected by uniform changes. In addition, GAO found that uniform changes could result in higher costs for officers who generally pay out-of-pocket for uniform costs. While the services have the authority to determine what uniforms are required for enlisted service members and officers, uniform changes have the potential to drive out-of-pocket costs for both. With equity as an underlying principle for compensation, a review of the services' uniform changes and resulting costs could help minimize out-of-pocket cost differences across the department and between genders. The total value of military uniform items for a newly enlisted service member ranges from about $1,600 to $2,400, depending on the military service. Over the course of their careers, service members must replace and maintain their uniforms. The conference report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to study service members' out-of-pocket costs for uniforms. Among other objectives, this report 1) assesses the extent to which differences exist in out-of-pocket costs for enlisted service member uniforms, by military service and by gender; and 2) examines the extent to which the military services have changed uniforms over the past 10 years, and how the costs of these changes have varied by service, enlisted or officer status, and gender. GAO reviewed DOD policies and service data on uniform allowances, enlisted and officer required uniform items and their costs, and changes made to uniforms since 2010. GAO also interviewed relevant DOD officials and service organization representatives. GAO is making four recommendations to improve DOD's understanding of out-of-pocket costs and to address any cost differences, including that it develop consistent criteria for excluding items from replacement allowances and review planned uniform changes. DOD concurred with all four recommendations. For more information, contact Tina Won Sherman at (202) 512-8461 or shermant@gao.gov.
    [Read More…]
  • Celebrating 70 Years of the ANZUS Treaty
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Former Priest and ‘Shelter Home’ Operator Indicted for Illicit Sexual Conduct Against Minors
    In Crime News
    A federal grand jury in Washington, D.C., returned an indictment today charging a U.S. citizen and resident of Timor Leste with seven counts of engaging in illicit sexual conduct in a foreign place.
    [Read More…]
  • Warfighter Support: Independent Expert Assessment of Army Body Armor Test Results and Procedures Needed Before Fielding
    In U.S GAO News
    The Army has issued soldiers in Iraq and Afghanistan personal body armor, comprising an outer protective vest and ceramic plate inserts. GAO observed Preliminary Design Model testing of new plate designs, which resulted in the Army's awarding contracts in September 2008 valued at a total of over $8 billion to vendors of the designs that passed that testing. Between November and December 2008, the Army conducted further testing, called First Article Testing, on these designs. GAO is reporting on the degree to which the Army followed its established testing protocols during these two tests. GAO did not provide an expert ballistics evaluation of the results of testing. GAO, using a structured, GAO-developed data collection instrument, observed both tests at the Army's Aberdeen Test Center, analyzed data, and interviewed agency and industry officials to evaluate observed deviations from testing protocols. However, independent ballistics testing expertise is needed to determine the full effect of these deviations.During Preliminary Design Model testing the Army took significant steps to run a controlled test and maintain consistency throughout the process, but the Army did not always follow established testing protocols and, as a result, did not achieve its intended test objective of determining as a basis for awarding contracts which designs met performance requirements. In the most consequential of the Army's deviations from testing protocols, the Army testers incorrectly measured the amount of force absorbed by the plate designs by measuring back-face deformation in the clay backing at the point of aim rather than at the deepest point of depression. Army testers recognized the error after completing about a third of the test and then changed the test plan to call for measuring at the point of aim and likewise issued a modification to the contract solicitation. At least two of the eight designs that passed Preliminary Design Model testing and were awarded contracts would have failed if measurements had been made to the deepest point of depression. The deviations from the testing protocols were the result of Aberdeen Test Center's incorrectly interpreting the testing protocols. In all these cases of deviations from the testing protocols, the Aberdeen Test Center's implemented procedures were not reviewed or approved by the Army and Department of Defense officials responsible for approving the testing protocols. After concerns were raised regarding the Preliminary Design Model testing, the decision was made not to field any of the plate designs awarded contracts until after First Article Testing was conducted. During First Article Testing, the Army addressed some of the problems identified during Preliminary Design Model testing, but GAO observed instances in which Army testers did not follow the established testing protocols and did not maintain internal controls over the integrity and reliability of data, raising questions as to whether the Army met its First Article Test objective of determining whether each of the contracted designs met performance requirements. The following are examples of deviations from testing protocols and other issues that GAO observed: (1) The clay backing placed behind the plates during ballistics testing was not always calibrated in accordance with testing protocols and was exposed to rain on one day, potentially impacting test results. (2) Testers improperly rounded down back-face deformation measurements, which is not authorized in the established testing protocols and which resulted in two designs passing First Article Testing that otherwise would have failed. Army officials said rounding is a common practice; however, one private test facility that rounds told GAO that they round up, not down. (3) Testers used a new instrument to measure back-face deformation without adequately certifying that the instrument could function correctly and in conformance with established testing protocols. The impact of this issue on test results is uncertain, but it could call into question the reliability and accuracy of the measurements. (4) Testers deviated from the established testing protocols in one instance by improperly scoring a complete penetration as a partial penetration. As a result, one design passed First Article Testing that would have otherwise failed. With respect to internal control issues, the Army did not consistently maintain adequate internal controls to ensure the integrity and reliability of test data. In one example, during ballistic testing, data were lost, and testing had to be repeated because an official accidentally pressed the delete button and software controls were not in place to protect the integrity of test data. Army officials acknowledged that before GAO's review they were unaware of the specific internal control problems we identified.
    [Read More…]
  • United States Files Complaint to Forfeit Iranian Missiles and Sells Previously-Transferred Iranian Petroleum
    In Crime News
    The Justice Department today announced the filing of a complaint to forfeit two shipments of Iranian missiles that the U.S. Navy seized in transit from Iran’s Islamic Revolutionary Guard Corps (IRGC) to militant groups in Yemen, as well as the sale of approximately 1.1 million barrels of Iranian petroleum that the United States previously obtained from four foreign-flagged oil tankers bound for Venezuela. 
    [Read More…]
  • Special Representative Ambassador Jeffrey Travels to Belgium
    In Crime News
    Office of the [Read More…]
  • Texan convicted of attempting to export firearms, magazines and ammunition
    In Justice News
    A Laredo federal jury [Read More…]
  • Secretary Antony J. Blinken With Olena Removska of Radio Free Europe/Radio Liberty
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • International Money Launderer Sentenced to More Than 11 Years in Prison for Laundering Millions of Dollars in Cyber Crime Schemes
    In Crime News
    A dual Canadian and U.S. national was sentenced today to 140 months in federal prison for conspiring to launder tens of millions of dollars stolen in various wire and bank fraud schemes – including a massive online banking theft by North Korean cyber criminals.
    [Read More…]
  • Greece Travel Advisory
    In Travel
    Reconsider travel to [Read More…]
  • Sao Tome and Principe Travel Advisory
    In Travel
    Reconsider travel to Sao [Read More…]
  • Federal Oil and Gas Revenue: Actions Needed to Improve BLM’s Royalty Relief Policy
    In U.S GAO News
    In reaction to falling domestic oil prices due to the COVID-19 pandemic, the Bureau of Land Management (BLM) developed a temporary policy in spring 2020 for oil and gas royalty relief. The policy aimed to prevent oil and gas wells from being shut down in way that could lead to permanent losses of recoverable oil and gas. During March through June 2020, BLM gave companies the opportunity to apply for a reduction in the royalty rates for certain oil and gas leases on federal lands. BLM approved reductions from 12.5 percent of total revenue on oil and gas sold from those leases to an average of less than 1 percent for a period of 60 days. However, BLM did not establish in advance that royalty relief was needed to keep applicants' wells operating, according to BLM officials. BLM also did not assess the extent to which the temporary policy kept oil and gas companies from shutting down their wells or the amount of royalty revenues forgone by the federal government. By evaluating the extent to which the policy met BLM's objective of preventing unrecoverable loss of oil and gas resources–and likely costs, such as forgone revenues—BLM could better inform its decisions about granting royalty relief that provides a fair return to the government, should the agency decide to consider such relief in the future. BLM officials told GAO that BLM state offices implementing the temporary policy for royalty relief made inconsistent decisions about approving applications for relief because the temporary policy did not supply sufficient detail to facilitate uniform decision-making. The officials added that their state offices did not have recent experience in processing applications for oil and gas royalty relief. Several of the officials had never received or processed royalty relief applications. In addition, GAO found that ongoing guidance for processing royalty relief decisions—within BLM's Fees, Rentals and Royalties Handbook , last revised in 1995—also does not contain sufficient instructions for approving royalty relief. For example, the handbook does not address whether to approve applications in cases where the lease would continue to be uneconomic, even after royalty relief. As a result, some companies that applied for royalty relief were treated differently, depending on how BLM officials in their state interpreted the policy and guidance. In particular, officials from two state offices told GAO they denied royalty relief to applicants because the applicants could not prove that royalty relief would enable their leases to operate profitably. However, two other state offices approved royalty relief in such cases. The fifth state office denied both of the applications it received for other reasons. BLM's existing royalty relief guidance did not address this issue, and BLM's temporary policy did not supply sufficient detail to facilitate uniform decision-making in these situations. BLM's directives manual states that BLM should provide BLM employees with authoritative instructions and information to implement BLM programs and support activities. Until BLM updates the royalty relief guidance, BLM cannot ensure that future relief decisions will be made efficiently and equitably across the states and provide a fair return to the federal government. BLM manages the federal government's onshore oil and gas program with the goals of facilitating safe and responsible energy development while providing a fair return for the American taxpayer. In April 2020, oil and gas producers faced financial challenges from a drop in demand for oil during the COVID-19 pandemic. If oil and gas prices decline, it places financial stress on oil and gas companies, thereby increasing bankruptcies and the risk of wells being shut down. BLM developed a temporary policy to provide oil and gas companies relief from royalties that they owe to the federal government when they sell oil and gas produced on federal lands. This testimony discusses (1) BLM's development of the temporary policy for royalty relief and what is known about the policy's effects, and (2) BLM's implementation of this policy across relevant states. To do this work, GAO reviewed BLM documents; analyzed royalty data; and interviewed BLM officials from headquarters and the five BLM state offices with jurisdiction over states that account for 94 percent of royalties from oil and gas production on federal lands. GAO is making two recommendations. BLM should (1) evaluate the effects of its temporary royalty relief policy and use the results to inform its ongoing royalty relief program, and (2) update its guidance to provide consistent policies for royalty relief.  For more information, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov.
    [Read More…]
  • Texas Rapper Charged in Narcotics and Prescription Opioid Conspiracy
    In Crime News
    Authorities have taken nine people into custody on charges involving the distribution of meth, cocaine and/or oxycodone and hydrocodone, announced Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division and U.S. Attorney Ryan K. Patrick for the Southern District of Texas.
    [Read More…]
Network News © 2005 Area.Control.Network™ All rights reserved.