We’re all used to hearing about data breaches hitting the government and banking industries. The past few months have shown us as much, thanks to the massive 21 million records stolen from the Office of Personnel Management (OPM) and the 80m+ customers affected by the JPMorgan breach. But how about the education sector? According to the Identity Theft Resource Center just 7 percent of breaches last year came in this space. The problem with looking at recent data, however, is that we risk missing the bigger picture.
A new analysis of the past decade by Trend Micro reveals that the education vertical has actually been hit by more data breaches than either the government or banking sectors, although incidents are declining in number. It’s just one of several revealing new insights detailed in our two Follow the Data reports.
The data, collected over the past decade by the non-profit Privacy Rights Clearinghouse, gives us for the first time a chance to look at what’s been happening over a long period of time. With this information, and the trends we’ve been able to pick out from breach activity over the previous 10 years, we’ll be better able to protect our customers in the education sector.
The education sector came in the top five most breached industries over the time period, accounting for 4.8 percent of the total. While it’s some way behind the top two of retail (47.8%) and financial (10.2%), it sits just below healthcare (5.5%) and is surprisingly just above the banking and government sectors. It appears that school, college, university, and related records have been somewhat in demand by hackers over the past decade. But for what reason?
We analyzed the same industries in terms of incidents of stolen data being used to commit identity theft and fraud and found the education sector in fifth place (10.9%), just behind financial (11.2%) and not far from the third placed government (13.6%) and second placed retail (15.9%) sectors. This would seem to give us some idea of why hackers have targeted schools, colleges, universities and the like in the past.
Indeed, data is stolen from these institutions for similar reasons hackers go after healthcare organizations – because it contains personally identifiable information (PII) and may also include financial data. In fact, there’s a 79 percent chance that PII will also be stolen if education data is lifted. We can also say that over the past decade insiders have rarely gone after education-related data, although unintended disclosures have blighted the sector – accounting for 29 percent of breaches. This highlights the need for strong policies around data sharing and DLP technology to prevent mistakes or negligence leading to privacy issues. Hacking and malware (34%) remains the biggest cause of breaches.
Time to get protected
Although breach incident numbers have been declining over the years, possibly as cybercriminals seek out more lucrative targets in sectors like healthcare and retail, educational institutions need to stay on high alert. The potential fall-out of even a relatively small loss of data could involve industry fines, remediation and clean-up costs, legal fees and perhaps most damaging in this highly competitive industry – reputational harm.
As part of an effective cyber security strategy, therefore, CISOs in this vertical should assume they have been compromised and consider the following prevention and mitigation techniques:
Click here to read Trend Micro’s two reports: Follow the Data: Dissecting Data Breaches and Debunking the Myths and Follow the Data: Analyzing Breaches by Industry.