A report analyzing data from the past 15 years found that schools in Arizona have leaked more than 2.83 million records containing personal information of students in the past 15 years.
Arizona is second only to California in the number of records that have leaked, with the Golden State notching 2.88 million compromised records.
The records contain a variety of information, from social security numbers, password information and medical information. Overall, researchers at CompariTech found that schools across the nation have experienced more than 1,300 data breaches affecting some 24.5 million records since 2005.
Arizona has had 13 breaches since 2005. Some of the most high-profile data breaches took place at colleges and universities.
One of the largest single data breaches in the country was in 2013 when the Maricopa County Community College District had a number of databases breached, resulting in 2.49 million records — including names, social security numbers and bank account information — hacked and posted online.
The FBI notified the school about the breach after it found a website selling information stolen from the district. The breach led to a class action lawsuit and the district spending nearly $26 million to rectify the situation afterwards.
Some data breaches found by researchers in Arizona were less sophisticated than the one that targeted MCCCD.
In 2007, the Donaldson Elementary School in Tucson had a computer server stolen from the school that contained the names, addresses and phone numbers of parents and staff members. In total, 380 people were affected.
Other data breaches were not the result of malicious intent, but user error.
In 2017, an employee of the Sunnyside Unified School District accidentally sent personal employee information to every employee in the district.
A Google search by a University of Arizona student resulted in the university having to notify 7,700 students in 2012 of a data breach that exposed student tax ID numbers and social security numbers online.
The data belonged to several thousand students who had submitted their names and tax information to the school so they could receive payments and reimbursements. Vendors, guest speakers and students all ended up having their information exposed. Those who had entered their social security numbers in lieu of a tax ID number had their social security numbers exposed.
In 2010, 8,300 students at UA had their information, including social security numbers, exposed when a hard drive containing withdrawal and disciplinary records was stolen. The data was embedded within a larger set of files that was being transferred to the university’s new financial system.
In one of the more recent breaches, 4,000 Arizona State University had their information revealed when a university official sent out a bulk email to students about renewing their health insurance in 2019. This type of data breach is known as an “unintentional disclosure” in which personal information that can be used to identify an individual or steal their identity is sent to someone other than the intended recipient.
K-12 schools in Arizona were not hit as hard from data breaches as other states, with only 7,986 total records being exposed in five breaches. Texas, the worst hit, has had 40 breaches in its K-12 system, exposing 444,878 records.