EdTech platforms are prime targets for hackers.
Valuable data, weak security. Cybercriminals target EdTech companies and schools because they collect and store highly sensitive and highly valuable information that is often poorly secured. They collect personally identifiable information about kids, such as Social Security numbers, dates of birth, and socioeconomic information. Bad actors can use this information to open bank accounts or credit cards, or in service of other forms of identity theft.
High-profile hacks. Many times, young victims of identity theft discover that their information has been stolen only when they try to apply for a college loan or open their first bank account. There have been several high-profile hacks of student information in recent years, including:
- A 2023 hack of MOVEit, which exposed Social Security numbers and other personal information of approximately 45,000 students in the New York City Department of Education, as well as student names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records (e.g., enrollment records, degree records, and course-level data) for 890 schools in the National Student Clearinghouse.
- A 2022 attack on Illuminate Education, which affected the personal information of more than one million students, dating back more than a decade and exposed names, dates of birth, races or ethnicities and test scores of students, as well as more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.
- A 2022 hack of Battelle for Kids, which exposed four years’ worth of records of nearly 500,000 Chicago Public Schools students and 60,000 employees.
Forever harm. Breaches and leaks of student information can have long-lasting consequences. As one cybersecurity expert and parent put it, “If you’re a bad student and had disciplinary problems and that information is now out there, how do you recover from that? It’s your future. It’s getting into college, getting a job. It’s everything.”
A systemic problem. One study found that “school officials, IT personnel, and teachers lack resources to deal with privacy and security incidents more generally and around EdTech, given that limited privacy and security training is offered on these issues” and that districts “do not fully consider the potential privacy and security implications of EdTech products for their students and have little room to negotiate with companies around these issues.”
Don’t collect it in the first place. Cybersecurity experts agree that the best way to keep sensitive information safe is to practice data minimization, under which only personal information that is directly relevant and necessary to a specified purpose is collected and kept for only as long as needed for that purpose. Many EdTech vendors take the opposite approach, collecting as much information as possible, keeping it for an undefined period, and using it for a number of purposes beyond those for which it was initially collected.
Uncovering Privacy and Security Challenges In K-12 Schools. Jake Chanenson, et al (April 2023).
K-12 Institutions at Risk of Cyber Attack. Center for Cybersecurity Policy and Law (November 18, 2022).
A Cyberattack Illuminates the Shaky State of Student Privacy. New York Times (July 31, 2022).
Ransomware criminals are dumping kids’ private files online after school hacks. Associated Press (July 2023).
After school hacks, ransomware criminals expose kids’ private files online. PBS News Hour (July 2023).
Hackers Hit School District in Clark County, Nev. Government Technology (October 2023).
Massive CPS data breach exposes records of 560,000 students, employees. Chicago Sun Times (May 2022).
Hackers’ latest target: school districts. New York Times (July 2019).