A recent study by Comparitech reveals that educational institutions take substantially longer to report data breaches compared to other sectors. Schools and colleges average about 4.8 months, while education companies take up to 6.3 months to disclose such incidents. This lag in reporting is especially concerning amid an uptick in ransomware attacks targeting the sector. The delayed reporting exposes victims to significant risks, as compromised data can circulate on the dark web long before those affected are informed. This hesitation is often due to uncertainty surrounding the extent of data theft, and organizations sometimes only confirm breaches when hackers leak information online. Comparitech advises that organizations assume data theft has occurred during these attacks. The FBI recommends against paying ransoms, noting it might encourage further attacks without guaranteeing data recovery.
A notable incident involved Texas’ Alvin Independent School District, which took nearly a year to reveal a breach impacting nearly 48,000 individuals. Another high-profile case was the December 2024 attack on ed tech provider PowerSchool, initially underplayed but later found to have compromised sensitive data across over 100 school districts. Legal actions have resulted, with over 100 school districts, including Memphis-Shelby County Schools, suing PowerSchool for negligence and breach of contract.
The findings emphasize the urgent need for improved data protection practices and more timely breach disclosures within the education sector to protect sensitive information effectively. Addressing these delays is crucial to minimizing potential risks and ensuring accountability.
