Data Spotlight: Third-party vendor risk threatens schools' cyber safety

By Ehden Pelaez, Front Page News

Cybersecurity has become a critical concern for educational institutions, especially as schools rely more heavily on technology for teaching, research, and data management.

A review of the most significant cybersecurity incidents tracked by Zywave’s Loss Data Insight within the education sector between 2009 and 2023 reveals a notable trend: More than 50% of these major incidents were not direct attacks on the educational institutions themselves. Instead, cyber events affecting third-party vendors had a cascading effect on the schools that used their services.

“A problem with a service provider can affect multiple organizations simultaneously given that homogenous industries rely on similar service providers,” explained Jim Blinn, Zywave’s vice president for client solutions.

In 2018, the data breach that hit London-based educational services provider Pearson PLC impacted around 13,000 schools. Similarly, Blackbaud, a cloud software company that provides fundraising and donor management solutions to educational institutions and nonprofits, fell prey to a ransomware attack in 2020.

Both companies faced a slew of lawsuits including charges from the Securities and Exchange Commission (SEC) for failing to disclose the full impacts of the attacks in a timely fashion.

Earlier this year, the Cl0p ransomware group exploited a vulnerability in MOVEit, a software widely used by organizations to transfer data. The cyberattack has affected more than 150 U.S. schools including the New York City public schools, Johns Hopkins University, and the Minnesota Department of Education.

“Arising out of the MOVEit situation, we have identified that National Student Clearinghouse (NSC) which was a licensee of the MOVEit file transfer solution was impacted by the attack.  We have identified (so far) 270 customers of NSC – which were colleges and universities – that were impacted by the breach,” Blinn added.

These events establish third-party providers as one of the most prominent cyber risks for the education sector.

Blinn also noted that these events come with a high price tag for educational organizations that may have limited resources to devote to cybersecurity and incident response.

“This includes costs for response, lawsuits, ransomware payments and the like.  Additionally, cybersecurity has grown in importance and cost – all of which take away from the primary mission of education,” he explained.

The White House’s decision to host an inaugural summit on the ransomware crisis affecting U.S. public schools underscores the gravity and scale of the issue. Held in August, the event brought together a diverse group of educators, cybersecurity specialists, and policymakers to formulate a cohesive strategy to safeguard the education system from digital threats.

Among measures discussed were  the plan of the Education Department to establish a Government Coordinating Council (GCC)  to harmonize activities, policy, and communications among federal, state, local, tribal, and territorial education leaders to strengthen the cyber defenses and resilience of K-12 schools; tailored security assessments by the Cybersecurity and Infrastructure Security Agency (CISA) for the K-12 sector; provision of grants and other support by technology providers, including Amazon Web Services and Google.

Rising attacks

Zywave has catalogued a total of 2,246 publicly disclosed school cyber events since 2020, with incidents predominantly tied to remote learning disruptions and the ransomware attack on Blackbaud. But as students returned to their physical classrooms in 2021, cyber events got significantly more expensive -- suggesting that cybercriminals are not only adapting to the changing landscape but also implementing more destructive strategies that result in increased costs.

The education sector ranked 13th in cyber losses across industries tracked by Zywave’s Loss Insight with the mean cyber loss hitting $15.7 million.

Ransomware menacing education

A look at attack vectors in Zywave’s Loss Insight shows ransomware on top of the list followed by human error and social engineering.

As attackers continue to focus on organizations where they can cause mass disruption, schools also remain vulnerable to direct ransomware attacks impeding essential functions. 

Vice Society, a ransomware-as-a-service (RaaS) group that allows other cybercriminals to use their ransomware for a fee, was the culprit in the Los Angeles Unified School District (LAUSD) ransomware attack in 2022 and in a similar attack in 2020 against the University of Utah's College of Social and Behavioral Science (CSBS).

Such incidents have not only disrupted learning environments but have exposed sensitive student and faculty data. The Government Accountability Office, in a 2022 report, estimated the loss of learning following a cyberattack can range from three days to three weeks, and recovery time ranges from two to nine months.

The cyber threat landscape for the education sector can change rapidly and the outlook in the coming years will largely be dependent on the collective action of all stakeholders to cultivate a cyber-safe place for students.

Infographics by FPN’s Karla Tecson. Editing by Erin Ayers and Leslie Castillo.

To learn more about Zywave’s Loss Insight, visit https://www.zywave.com/insurer/loss-insight/ or email adv_support@zywave.com.

*Zywave’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.