Educational institutions face increased data breach risks amid surge in UK attacks
Educational institutions across the UK are increasingly vulnerable to data breaches as more cyber attacks and poor data handling practices expose sensitive personal information.
Schools and universities, which hold large amounts of personal data, are becoming prime targets for cybercriminals, according to Ben Marsh, Class Underwriter at Chaucer, a global speciality (re)insurance group.
Speaking exclusively with ETIH, Marsh explained the heightened risks faced by educational institutions.
"Educational institutions are particularly vulnerable to data breaches. They are a prime target for cyber and social engineering attacks given the valuable, and often large amount, of personal information – more so than traditional businesses," Marsh said.
As the education sector increasingly embraces remote learning and digital platforms, the risks have escalated. Schools and universities rely on third-party service providers to manage and store data, but these outsourced services are contributing to the rise in breaches.
"As remote learning becomes more common, schools and universities will need to invest in stronger cybersecurity controls and data protection measures to reduce the risks of data being compromised by third parties," Marsh added.
Government institutions, including educational bodies, were among the sectors hardest hit by data breaches in 2023. Of the 312 million data breaches that occurred in the UK last year, 196 million were linked to central government institutions, including many educational organisations. This forms a significant portion of the overall increase in breaches, which saw a 53% rise compared to 2022.
Marsh highlighted that outsourcing data management to third-party providers plays a central role in these large-scale breaches. He pointed to an incident in March 2023, when an outsourcing firm managing nearly 400 pension schemes experienced a data breach.
This incident potentially compromised the personal data of hundreds of thousands of individuals, with 90 pension schemes filing data breach reports to the Information Commissioner’s Office (ICO).
“Growing outsourcing of data management and data processing to third-party providers is fuelling an increase in the potential for large-scale data breaches, potentially affecting tens of thousands of individuals at a time,” Marsh noted.
Data breaches on the rise nationwide
On average, UK citizens were affected by five data breaches each in 2023, with a total of 312 million breaches recorded. This represented a significant 53% increase compared to the 204 million breaches in 2022. The surge in breaches was driven not only by outsourcing but also by a rise in cyber attacks.
The number of successful cyber attacks rose by 20% last year, from 8,948 in 2022 to 11,177 in 2023. These breaches typically expose sensitive information such as financial data, medical records, and personal identifiers, all of which can be sold on the dark web.
Marsh cautioned that not all breaches are the result of cyber attacks. Many incidents are caused by poor data handling practices within organisations, particularly those that outsource data management to third parties.
Marsh added:
“While outsourcing some data management is a logical step for streamlining a business to make it more profitable, data security should never be compromised. Businesses that outsource to unsecured third parties to cut costs may face very hefty losses – in ransoms, fines or lost customers.”
“Companies must ensure data that is hosted in right place and managed by experts with the proper training. Companies should also include contractual provisions for data breaches in any paperwork they sign with third party providers – and must ensure those outsourced parties comply with up to date regulations.”