Human error to blame in vast majority of education data breaches

School districts must train personnel on good cyber-hygiene, experts tell Congress, because teachers are unknowingly the most common offenders.

The nation relies on teachers to educate our children and help them when they make mistakes. But when it comes to protecting students’ data, it is often the teachers and school staff who mistakenly let bad actors in to school computer systems, officials say.

In a hearing Thursday before the House Committee on Education and the Workforce, a panel of educators, privacy experts and U.S. Department of Education officials pointed to accidental online errors by school staff as the main threat to protecting school data.

In the state of Kentucky, which experienced more than 4 billion attempted attacks on the computer systems of K-12 services last year, the greatest number of data breaches were the result of staff who fell for email phishing scams, according to David Couch, CIO for the Kentucky Education Technology System (KETS) at the Kentucky Department of Education.

“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing.


Schools are especially tempting targets for cybercriminals, as they catalog and store troves of personally identifiable information, including the demographic information, Social Security numbers, medical information, test scores and behavior reports of students, among other things. Once stolen, this information can then be sold online.

“We ran a phishing test at school,” said Gary Lilly, superintendent of Bristol Tennessee City Schools, “and I expected the results to be pretty good, indicating that our staff was not susceptible to phishing attempts.” The results of the test, however, showed that nearly 20 percent of Lilly’s staff were “phish prone,” or unprepared to recognize or report phishing attempts.

In general, phishing attempts against schools are increasing and becoming more sophisticated.

“We’ve seen an 85 percent increase in phishing attacks over the past year in Kentucky,” said Couch. Some of the attacks, he said, are spear phishing, an advanced form of phishing attempt that targets specific individuals — particularly those who would be easy targets for attackers.

Fortunately, there is a clear solution to helping teachers avoid phishing attempts: increased education and heightened awareness.


“What we really need is more support for cyber-hygiene training,” said Amelia Vance, director of education privacy for the Future of Privacy Forum. “Forty-five to 95 percent of all data breaches occur because of human error, so the best way to address this is to train people.”

Latest Podcasts