Supporting K–12 districts against the growing threat of third-party cyber breaches

Cyberattacks on software suppliers, including Student Information Systems (SIS) and EdTech vendors, have surged in both frequency and scale, exposing student data to unprecedented risks and amplifying the operational and legal challenges faced by K–12 districts nationwide.

Recent high profile third-party cyber breaches, including the PowerSchool breach in late 2024 have highlighted the growing risks posed by these attacks, which the Cybersecurity and Infrastructure Security Agency (CISA) estimates more than once per school day.[1] In fact, cyber threats in K–12 schools are so prevalent that Cybersecurity and Infrastructure Security Agency estimates there is more than one occurrence per school day on average.[2] More recently, in December 2024, there was a cybersecurity breach involving unauthorized access to PowerSchool SIS, the system used by over 30 percent of K–12 districts in the U.S.[3]

These third-party breaches, which target sensitive district data stored within vendor systems rather than the districts themselves, have become increasingly disruptive. The fallout from these incidents extends beyond immediate damage, posing long-term threats to student safety, privacy and the continuity of district operations. This growing trend necessitates urgent attention and proactive measures from superintendents to safeguard their schools and communities.

The Impact of Third-Party Attacks 

The impact of these cyberattacks on school districts is profound and multifaceted, affecting not only the immediate functionality of educational systems but also the long-term safety of student data and trust from the community. 

Key consequences include:

• Widespread disruption: Breaches often paralyze essential services such as student data management, attendance tracking and communication systems, severely disrupting day-to-day operations.
• Sensitive data compromised: Personally Identifiable Information and Health Identifiable Information of students and staff, including Social Security numbers and medical records, are common targets.
• Ripple effects of stolen credentials: Attackers use stolen data to execute further attacks, including ransomware, grade manipulation and phishing campaigns targeting parents, staff and administrators.
• Trust erosion: Breaches undermine trust in school systems and technology providers, fueling skepticism and slowing the adoption of digital tools meant to enhance education.
• Long-term financial and personal risks: Identity theft from compromised student data, such as synthetic identities, can remain undetected for years, impacting individuals’ credit and financial futures. 

Why Cybersecurity Must Be a Top Priority

Many K–12 school districts' IT departments are underprepared to prevent and respond to cyberattacks, likely due to limited resources, insufficient training and a lack of comprehensive cybersecurity strategies. Responsibility for managing the district’s cybersecurity extends beyond IT professionals and district leadership to students, parents, teachers, staff and other stakeholders who interact with district data. Additionally, cyber insurance alone does not mitigate the consequences of third-party cyber breaches. Without significant and regular improvements in their cybersecurity posture, districts will continue to face severe operational disruptions, compromised sensitive data and a loss of trust from their communities. It is imperative that school districts prioritize cybersecurity measures to protect their students, staff and the integrity of their educational systems.

What You Can Do Now to Minimize Your District’s Risk

Education leaders must act decisively to minimize cyberattacks’ impact and prepare for future incidents. By implementing proactive measures, districts can mitigate risks and safeguard their operations and constituents 

Read the full article to learn actionable steps you can take to protect your school district.

Read the Full Article