Skip to content

Why would someone hack into schools? Northeastern cybersecurity experts explain why they are easy targets   

K-12 schools are often the target of cyberattacks because they are underfunded when it comes to cybersecurity resilience, explains David Choffnes, executive director of Northeastern’s Cybersecurity and Privacy Institute.

A screenshot of PowerSchool.
Photo by Matthew Modoono/Northeastern University

A nationwide breach that has exposed the data of students and teachers around the country underscores how vulnerable educational institutions are to cyberattacks because of a lack of resiliency investments, Northeastern University cybersecurity experts say. 

On Jan. 7, PowerSchool, a software company that provides educational services to more than 60 million students in K-12 schools throughout the world, announced that the data of some customers had been compromised as part of a hack on its systems. 

Using stolen credentials, hackers accessed PowerSchool’s portal to steal information from teachers and students including names, addresses, phone numbers, Social Security numbers, grade point averages, bus stops and medical information. 

“It’s one thing when your own data gets compromised, and we all generally don’t feel great about it, but we are talking about your children who are either not online or barely online,” says David Choffnes, executive director of Northeastern University’s Cybersecurity and Privacy Institute. “To have their sensitive information exposed like this is a huge problem because while those of us that are grown-ups have a certain amount of our lives left, it’s nowhere near as much as kids. Their information will be exposed for much longer.”

K-12 schools are often the target of cyberattacks because they are historically underfunded when it comes to cybersecurity infrastructure, Choffnes says. Additionally, hackers understand how valuable the data of children can be and that those affected are often more willing to pay top dollar to prevent sensitive information from getting released. 

“Who do attackers target? They attack the most vulnerable and valuable,” Choffnes says. 

Cyberattacks in schools are on the rise, and according to the U.S. Department of Education K-12 schools throughout the country are roughly having five cybersecurity incidents per week. 

A 2024 trends report from the State Educational Technology Directors Association revealed that the top priority for state education tech leaders is bolstering cybersecurity measures, but many believe there is a lack of state funding to adequately address the situation.

“We all know that high schools and middle schools often have the least amount of funding for enhancing or strengthening their security,” says Aanjhan Ranganathan, a Northeastern professor in the Khoury College of Computer Sciences and cybersecurity expert. “They have enough funding problems already.” 

“Most of their systems are likely outdated and therefore have old security vulnerabilities that should have been patched,” he adds. “There’s a whole bunch of low-hanging fruit for hackers to get into.” 

Northeastern Global News, in your inbox.

Sign up for NGN’s daily newsletter for news, discovery and analysis from around the world.