Skip to content

K-12 Staff and Student Data Remains at Risk


The K-12 education sector continues to be one of the most vulnerable sectors because of the increase in online learning that occurred due to the pandemic. This has led to an exponential increase in the number of endpoints (laptops, servers, etc.) and software tools that were installed on these endpoints to aid in e-learning. Even though many students have returned to the classroom, the number of remote devices remains in use today. Furthermore, schools don’t have the funding or staffing support (particularly due to shortcomings in being able to offer competitive salaries) on hand to deal with the rapidly prevalent threat of cyberattacks.

Looming threats to school cybersecurity

Since the beginning of the pandemic, the amount of cybercrime that children in the education system face have escalated:

  • 1 in 50 children in America has been a victim of identity theft, while 1 in 45 have faced a data breach
  • In January of 2022, roughly 5,000 schools and colleges’ websites went dark when a tool hosting these schools’ websites was attacked, causing 6 days of downtime and disruption to learning
  • In Florida, hackers posted nearly 26,000 stolen files online after the Broward County School District refused to meet ransom demands

Schools have consistently been a popular target for cybercriminals due to the expansive personal information they have on file for students and staff, ranging from payroll information, social security numbers, learning disabilities, and more.

Take social security numbers (SSN), for example. Once an SSN is out in the wild, it can be used in “synthetic identity theft.” This occurs when someone creates an identity by combining a stolen SSN with a fake name, address, and birthday. As children have no credit history, their social security number is perfect for synthetic theft as starting with a blank slate can be more lucrative without a consumer to report identity theft. And worse yet, this kind of fraud using children’s information likely won’t be discovered for years, until they open their first credit card account, allowing thieves to freely create accounts without fear.

The detrimental impacts of student identity theft

This kind of fraud has long-standing impacts on children and people whose information was stolen. Children face years of impact ranging from credit scores destroyed, denied loans, higher interest rates, and more. In addition, it takes longer for a child to fix their credit history than an adult. And a child’s social security number can be sold for as little as two dollars on the dark web, resulting in a litany of consequences.

Some specific examples of identity theft of minors:

  • Sara Woodington, a single mom in Texas, had her 17-year-old autistic son’s autistic status called into question after there was a record of his social security number used to apply for and work at several jobs
  • In 2021, a Chicago woman was indicted on filing fraudulent tax returns and Covid-19 stimulus payments, among her victim’s was a 7-year-old who was shot and killed in 2015
  • Madison, a 3-year-old girl in New Jersey, received summons for jury duty after her identity was stolen, causing her parents to spend hours contacting the state to set the record straight about her age (source)
  • Young adults have to delay the start of college after federal student aid is denied due to their credit scores being too low after identity theft

Protecting this treasure trove of data requires an investment in cyber hygiene, enabling schools to better track things like where sensitive data is stored, where security vulnerabilities may exist in their environment and better overall management of their IT assets. But instead, schools have been more at risk with the proliferation of learning tools, an increase in distributed student and staff laptops to manage and a historical lack of funding that increases the risk of attacks that schools face.

How do K-12 institutions increase student data security?

The best way for schools to mount their defense against cybercriminals is to get a better handle on their cyber hygiene. You can’t protect what you can’t see, and with many K-12 IT department staff being forced to wear many different hats, juggling things like IT help desk, enrollment operations management and IT security – it can be difficult to have visibility into their attack surface.

K-12 school districts need the visibility to see all their assets, and the control to take action in fixing things like unpatched devices, removing sensitive data if it’s found on unapproved devices, and more.

Tanium is the only Converged Endpoint Management platform that can give K-12 school districts the visibility, control and a single source of truth for all endpoint data at scale – allowing a converged approach to securing student and staff data and protecting the IT identity of our students.

Learn more about Tanium for education.

Doug Thompson

Doug Thompson is Tanium’s Chief Education Architect. A conference speaker, podcast host, and storyteller, he architects solutions that keep our schools’ sensitive data secure.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.