Student data is the most valuable resource stored in the school’s domain. That’s why a data breach at an educational institution hurts so much.
Internet Safety Labs’ research shows alarming results. Student privacy in 78% of apps required or recommended for schools is “very high risk”, and 79% of apps used in schools collect student location data.
In this post, we show three real-world examples that put student data at risk: from a massive breach of school data containing classified information to a hack of a student monitoring app. Later, we share tips on how to prevent data breaches in Google Workspace for Education.
Cases of Data Breaches in Schools
The Leak of Emergency Procedures at US Schools
In December 2023, 800 GB of sensitive files from US schools were leaked, exposing institutions to potential security risks. Over 4 million records linked to an education software provider contained personal information about students, including health conditions, threats of self-harm, and examples of individual misbehaviour.
In addition, the disclosed files provided details of evacuation plans in case of various threats at the school, such as shooter or bomb attacks. They included emergency assembly points, shelters for students and floor plans. This data could be perfectly used by cybercriminals or local terrorists.
When contracting with a software company, make sure you can entrust it with confidential information your school collects. Discovered US school files were uploaded to a third-party provider’s system. Before submitting anything to an external cloud, consider double protection for data whose leaking could make your school’s security system or individual students highly vulnerable.
Privacy Breach After User Error in Canada
Saskatchewan, Canada, February 2023. An unauthorized user accidentally transfers school data from eight archived files to a third-party cloud service provider. As a result, the personal information of 20,000 former students and staff members of the 35-school division may have been stolen.
The data affected by this security breach included bank information, social insurance numbers, ages, gender and student numbers of parents and students. Although there is no proof that the data was copied from the provider’s cloud storage, a possible security breach could still happen in the future. The leaked information could appear on the dark web and be used for opening a new bank account, applying for a mortgage or ransom harassment.
Even if a data breach has never directly affected your school, learn from the experiences of other institutions. Remember that 88% of data breaches are due to human error. Regularly review and update user permissions in Google Workspace for Education to reduce the risk of accidental data leaks.
Student Monitoring App Hacked at UK School
Many parents of students in Billingham were surprised when they began receiving multiple notifications to their student monitoring app in January 2024. Students were receiving virtual rewards from the teacher’s account and explicit comments. As a result of the app hack, parents also gained access to children’s profiles not connected to them.
Given the language used in the comments, it’s possible that students were responsible for hacking the school app. What is concerning is how easy it was to break the IT system. The company and schools immediately acted to avoid more damage after the alleged data breach.
To avoid this happening, it is important to carefully verify and monitor any third-party apps that users have installed on their Google Workspace accounts and what permissions these apps require from users. An effective school language policy and a content monitoring tool will also help detect and avoid inappropriate wording used by students in Google Classroom.
How to Prevent Data Breaches at Your School
Effective data loss prevention not only safeguards student information from unauthorised parties and use but also saves school admins many working hours. Often, the price of a data breach is also the money spent to recover and reinforce the data storage, as well as the school’s reputation and credibility, which can’t be so easily recovered.
Look at the following tips to strengthen the protection of sensitive information in your school domain.
1. Prevent School Data Breach
“Prevention is better than cure”, said Desiderius Erasmus in the 16 century. Five hundred years later, we stand by that statement as well when it comes to protecting student data in Google Workspace.
Data breach prevention and response in schools starts with perfectly crafted cybersecurity policies for your e-learning environment. These policies should cover access control, data and password security, data retention, and classification policies, among other things.
Create an Incident Response Plan for any kind of cybersecurity attack. Address prevalent online threats to act promptly and reduce the cost of an incident. Consider common, real-life scenarios in schools, such as those mentioned in the first part of this article.
2. Provide Secure Digital Infrastructure
Antivirus software must be installed on every school device. Keep all browsers and systems properly configured and updated. All hardware and software used on devices must be documented and authorised. Ensure that only approved users can make changes to settings.
Make sure that students and staff members can only log into their Google Classroom accounts on school devices through the safe school network. Students should only use a secure connection to access the e-learning platform when learning remotely.
3. Apply Effective User Management
Installing third-party applications on your devices is like inviting guests into your house. You want to make sure they won’t steal anything, right? Check carefully all apps you’re giving access to school computers and what data they need permission to. You can easily audit all third-party apps installed in your school domain with GAT+.
As the next step, set up alerts for new applications installed by users in your Google Workspace domain.
Another essential aspect of safe data management is controlling user access to Drives and files in the school domain. Customise the level of permissions for each user’s needs. The Principle of Least Privilege comes in handy to evaluate this element of domain security and remove access to files and folders shared with a user if needed.
Don’t forget to audit file shares externally, especially if the user who did this is already suspended.
SEE ALSO: The Modern K-12 Admin’s Guide to Google Shared Drives Management
4. Educate about Data Breach Prevention
Students and teachers are on the front lines of the fight against data breaches, so cybersecurity education must be your primary focus.
Provide training about online threats, such as phishing scams, ransomware and malicious software so they can detect them properly and reduce the risk of data leaks. Training must be conducted and updated regularly to prepare the school for online attacks.
Require strong passwords to protect all personal information related to your Google Workspace for Education domain. GAT Flow, our user management tool, will help you automate this task and generate or change passwords for determined users.
Closing Thoughts
Once students’ private information is leaked, they become an increasingly common target for cybercriminals.
The key is to prevent such situations from the outset. If they do occur – be ready to respond quickly to limit the damage. Let privacy security on Google Workspace be your top priority and make your school less vulnerable to data breaches.
Audit. Manage. Protect.
Discover how Management & Security Services can help you with deeper insight and on-call, personalized assistance.
