4.8 months: the average amount of time it takes schools and colleges to report a data breach following a ransomware attack. Here’s why.
Those five months are the longest time to report across four major sectors—business, education, government, and healthcare, according to a recent analysis from Comparitech, a cybersecurity firm.
According to the research, educational institutions are putting their communities at risk the longer they wait to report such cases.
“Until the victims of a data breach are notified that they’ve been compromised, they are vulnerable to identity theft, targeted scams, credit card fraud, impersonation, extortion, account takeovers, and more,” the research reads. “Timely notification is essential for victims of data breaches to protect themselves, prompting them to check their credit reports, bank statements, and account security settings before the damage spirals out of control.”
Comparitech analyzed the time it took for educational institutions and companies to report ransomware data breaches.
Case examples
In one extreme case, a medium-sized Texas district was forced in June 2021 to pay a ransomware gang known as Pysa $547,000 to have its stolen data deleted.
After an extensive investigation, nearly 429,000 victims were notified of the breach in September 2022, more than one year after the attack.
The researchers suggest that the investigations themselves play a significant role in how long it takes for institutions to report a break. Collecting each victim’s contact information can be a lengthy process.
“Most companies will employ a third-party cybersecurity firm to do the work for them,” the research reads. “This will involve going through all of the data impacted to see which customers have been affected.”
Another Texas district just recently started notifying more than 47,000 people of a June 2024 breach, according to the research.
“Five months is a long time for people to be unaware their data has been impacted in a ransomware attack,” the researchers conclude. “Not only that, but hackers often post victims to their data leak sites within a month of the attack taking place if ransom negotiations fail.”
“Therefore, stolen data may have been on the dark web for four months or more before those whose data is compromised are any the wiser.”
Read the full report here.
More from DA: Why high school graduates now need perspective on higher ed to enroll
