An article from Dive Brief Data breach reporting lags in education, study finds

The sector takes an average of 4.8 months to report attacks — the highest when compared to business, government and healthcare.

Published May 22, 2025 Anna Merod Reporter

• post
• share
• post
• print
• email
• license

Colleges and K-12 schools have the longest data breach reporting times following a ransomware attack compared to the business, government and healthcare sectors, according to a new Comparitech study. JuSun via Getty Images

First published on

Listen to the article 3 min This audio is auto-generated. Please let us know if you have feedback. Dive Brief:

• It took the education sector 4.8 months on average to report data breaches following ransomware attacks between 2018 and 2025, according to a report released last week by Comparitech.
• Colleges and schools had the highest average reporting time for ransomware data breaches when compared to the business, government and healthcare sectors, Comparitech found in its analysis of over 2,600 U.S. ransomware attacks. 
• At the same time, education companies — counted separately from colleges and schools — saw even higher reporting times at 6.3 months. Waiting months to disclose a data breach is dangerous, given that stolen data can be on the dark web before victims even know a breach happened, wrote the researchers for Comparitech, a cybersecurity and online privacy product review website.

waitToLoadAds.push(function() { googletag.cmd.push(function() { if (window.dfp_visibility == 'mobile' ) { googletag.display('dfp-hybrid1-mobile'); googletag.pubads().addEventListener('slotRenderEnded', function (event) { var adUnitPath = '/21662595662/highereddive/highereddivehybrid1'; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) { var adUnitPathWithVisibility = adUnitPath + '-mobile'; var selector = '.pf-comments__ad-wrapper [data-container-ad-unit-id="' + adUnitPathWithVisibility + '"]'; if (!$(selector).closest('.pf-comments__ad-wrapper').hasClass('borders')) { $(selector).closest('.pf-comments__ad-wrapper').addClass('borders') } } }); } }); }); waitToLoadAds.push(function() { googletag.cmd.push(function() { if (window.dfp_visibility == 'desktop' ) { googletag.display('dfp-hybrid2-desktop'); googletag.pubads().addEventListener('slotRenderEnded', function (event) { var adUnitPath = '/21662595662/highereddive/highereddivehybrid2'; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) { var adUnitPathWithVisibility = adUnitPath + '-desktop'; var selector = '.pf-comments__ad-wrapper [data-container-ad-unit-id="' + adUnitPathWithVisibility + '"]'; if (!$(selector).closest('.pf-comments__ad-wrapper').hasClass('borders')) { $(selector).closest('.pf-comments__ad-wrapper').addClass('borders') } } }); } }); }); Dive Insight:

Delayed reporting of data breaches comes at a time when schools and ed tech companies alike are grappling with the ongoing threat of ransomware attacks.

Illustrating the prolonged response times for ransomware breaches, the latest Comparitech report pointed to Texas’ Alvin Independent School District confirming just this month that a June 2024 data breach impacted nearly 48,000 people. The data involved names, Social Security numbers, credit and debit card numbers, financial account information, medical and health insurance information, and state-issued IDs. 

Organizations often wait to disclose a data breach because they are unsure if data was stolen following a ransomware attack until the hacker posts the stolen information on the dark web, Comparitech said. 

“Data theft is a common component of ransomware attacks, so it’s not unreasonable for companies to assume hackers stole data, even if there isn’t any evidence to suggest data theft at first,” researchers wrote. “The worst thing to do is to jump to the conclusion that data hasn’t been stolen.”

The FBI also advises against paying threat actors following a ransomware attack. If organizations pay a ransom, it still doesn’t guarantee any data will be recovered, the agency’s website states, adding that ransom payments can actually encourage more attacks.

K-12 school districts have been especially concerned about a widespread breach of student and staff data across North America following a December 2024 ransomware attack on ed tech provider PowerSchool. 

Though PowerSchool disclosed the cybersecurity incident about a week later, the company allegedly told districts not to worry about sensitive student and staff information being exposed. Five months later, however, PowerSchool publicly confirmed that, despite paying a ransom to threat actors, multiple school districts were being extorted with the same information stolen in the December incident.

Since then, over 100 school districts — including Tennessee’s largest school system, Memphis-Shelby County Schools — have sued PowerSchool for negligence, breach of contract and false advertising.

• 
• 
• 
• 
• 
• purchase licensing rights

Filed Under: Policy & Legal Higher Ed Dive news delivered to your inbox

Get the free daily newsletter read by industry experts

Email:

• Select user consent: By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at anytime.

Sign up A valid email address is required. Please select at least one newsletter. Editors' picks

• Drew Angerer / Staff via Getty Images Carnegie Classifications debuts redesign of system to group colleges

  It now has multiple categories to capture the size and mission of colleges and a new classification focused on student access and earnings.

  By Natalie Schwartz • April 24, 2025
• Chip Somodevilla via Getty Images Trump’s FY26 budget plan slashes Education Department programs

  The president's proposed cuts would dramatically reduce funding for Federal Work-Study and eliminate all spending on the TRIO program.

  By Natalie Schwartz • May 2, 2025