Ransomware in Education Part 1: Why Schools, Colleges and Universities Are So Frequently Targeted
In this first post in a two-part series looking at Ransomware in Education, I focus on why education is a common target in ransomware attacks. The default go to answer when cybersecurity professionals are asked why ransomware groups target educational establishments is “they are underfunded, under-secured and easy to attack”. Like most lazy explanations, it is partly true, but it doesn’t provide the full picture.
Schools, colleges and universities are not just soft targets, they are data-rich, highly distributed, operationally sensitive environments with complex identity models, broad digital supply chains and very little tolerance for disruption during key academic periods.
Adversaries do not target sectors like education because they are morally indifferent, although evidence shows they are. They target sectors because the economics work. Education offers a combination that is hard for cyber criminals to ignore: valuable data, constrained security resources, high operational pressure, fragmented governance and a growing dependency on a small number of common digital platforms.
The result is a sector that has become structurally attractive to extortion groups.
Education is now a digital operating environment
Modern academic institutions are longer a campus with some IT attached, now they are a digital operating environment with education attached.
Teaching, safeguarding, assessment, research, payroll, admissions, learning management, finance, student records, parent communications, building access and collaboration all depend on technology. That technology is often spread across cloud platforms, legacy systems, managed service providers, specialist education applications, personal devices, shared devices and federated identity services. This creates the same kind of complexity found in large enterprises, but without the same depth of cyber security staffing, funding or operational maturity.
The UK Government’s 2025 Cyber Security Breaches Survey found that 44% of primary schools, 60% of secondary schools, 85% of further education colleges and 91% of higher education institutions had identified a cyber breach or attack in the previous 12 months. Further and higher education institutions were also more likely to report frequent incidents, with 30% experiencing a breach or attack at least weekly. Those numbers matter because they show that education is not experiencing occasional exceptional events, it is operating under persistent threat.
Those threats are not limited to ransomware, but ransomware actors benefit from the same exposed attack surface: phishing, impersonation, account takeover, malware, insecure remote access, unpatched systems, poor segmentation and third-party compromise. In the same survey, phishing was reported by 89% of primary and secondary schools that had identified breaches or attacks, and by 97% of further and higher education institutions.
This is the first reason education is frequently targeted: attackers do not need exotic tradecraft when the environment gives them ordinary routes in.
The data has long-term criminal value
Educational establishments hold unusually rich data. Not just names and email addresses. They may hold dates of birth, addresses, safeguarding information, special educational needs data, disciplinary records, family contact details, health information, immigration status, financial records, payroll information, valuable research data and identity documents.
For children and young people, that data has a particularly long shelf life. A stolen student record is not just useful for immediate extortion, it can be used later for fraud, phishing, identity theft, social engineering and credential attacks. It can also be combined with data from other breaches to build more complete target profiles. This is why attacks on education technology providers are so significant.
The PowerSchool incident was a good example. PowerSchool disclosed that, on 28 December 2024, it became aware of unauthorised exfiltration of personal information from its Student Information System environment. The breach affected multiple school customers because PowerSchool sits in the middle of the education data ecosystem.
The subsequent extortion attempts against school districts showed another uncomfortable truth: paying at one point in the chain does not necessarily end the risk for everyone else. In May 2025, multiple districts were reportedly contacted by a threat actor demanding payment linked to data stolen in the PowerSchool breach.
In education, the attacker does not always need to compromise a school directly, they can compromise the right shared platform and the blast radius can cover thousands of establishments.
This is the second reason education is targeted: it is not only the institution that has value, the data supply chain has value.
The sector has become a platform concentration risk
The recent Canvas incident illustrates the point.
In May 2026, the widely adopted Canvas learning management system was disrupted by a cyberattack attributed to ShinyHunters. Reuters reported that multiple US college newspapers, including those at Harvard, the University of Pennsylvania, Duke, UCLA and the University of Nebraska, described students being unable to access Canvas and instead being redirected to a message from the attackers. Associated Press reported that the disruption as hitting thousands of schools as final exams approached, with institutions warning students and staff while they worked around outages affecting grades, assignments and course materials.
This is not ransomware in the old-fashioned sense of encrypting a school’s file shares and leaving a ransom note on the desktop, it is the modern extortion model: data access, platform disruption, public pressure, timing leverage and institutional dependency. That is where education is increasingly exposed.
A school, college or university can make reasonable local security decisions and still be disrupted by a compromise of a major shared platform. This does not absolve institutions of responsibility, but it changes the problem. Cyber resilience is no longer only about hardening the estate you own, it is about understanding which external services have become part of your operating model and managing that third-party risk.
A learning management platform during exam season is not “just an application”., it is part of the educational delivery chain. When it fails, the institution does not just lose software availability. It loses the ability to teach, assess, communicate and make decisions with confidence. That is why the ransomware groups that target education time their attacks carefully for maximum impact. They understand the academic calendar: they understand enrolment periods, exam windows, clearing, admissions, payroll cycles, research deadlines and graduation. They know when pressure is highest and when leaders are most likely to make fast decisions with incomplete information.
In other words, they do not just attack systems, they attack the moment.
Universities are especially attractive because they are open by design
Universities are supposed to be open, collaborative and internationally connected. They support research partnerships, visiting academics, students from around the world, decentralised departments, high-performance computing, cloud experimentation and a culture that often prizes academic autonomy over central control. That openness is not a flaw, it is part of an institution’s mission, but it does create a difficult security model.
A university looks simultaneously like a city, a hospital, a laboratory, a technology company and a public body all at once. It may have valuable intellectual property, sensitive research, regulated data, medical partnerships, student records, complex identity federation, legacy departmental systems and a constantly changing user population.
Microsoft’s 2025 Digital Defense Report noted that government, IT, and research and academia were among the most affected sectors, partly because they manage critical services and hold large volumes of sensitive data, including personally identifiable information and authentication tokens. It also observed that financially motivated cybercriminals remain the primary threat, with attackers favouring phishing, unpatched assets and exposed services.
That aligns with what I see operationally across destructive cyber incidents my team deals with. The attacker does not need to understand every part of the organisation, they need a single path in, enough privilege to move, enough time to stage impact and enough leverage to force a decision. In a university, there are many many paths in.
Schools carry enterprise risk without enterprise funding or capability
At the other end of the sector, schools face a different imbalance. Many schools and academy trusts now depend on complex digital services, but they do not always have dedicated security teams, mature incident response capability or the budget to operate like a regulated enterprise. They may rely heavily on outsourced IT providers, shared services, cloud platforms and a small number of internal staff who are expected to be infrastructure engineers, helpdesk, procurement advisors, security analysts and incident responders all at once.
That creates a dangerous asymmetry: attackers operate like industrialised businesses, schools defend like a stretched public service.
This is not a criticism of school IT teams, quite the opposite. I’ve worked with many during response and recovery after attacks, they are doing difficult work with limited resources and a difficult mandate. The harsh reality is, however, ransomware does not care whether a control was absent because of budget, governance, procurement complexity or staffing constraints, the outcome is the same.
The UK survey also shows signs of improvement, including higher levels of incident management activity in primary schools and identity and access management activity in secondary schools, but it also found that secondary schools were less likely than in 2024 to have undertaken vulnerability management activity - the number one initial access vector for ransomware my team sees. Progress is real, but uneven - attackers exploit unevenness to target the weakest link.
Ransomware groups understand reputational pressure
Educational establishments are also sensitive to reputational harm. Parents need confidence that schools can safeguard children, students need confidence that universities can protect their data and preserve academic continuity, researchers need confidence that intellectual property is secure., regulators need confidence that personal data has been handled properly and student services can be recovered and governors, trustees and boards need confidence that the institution is being run responsibly.
A school can restore systems and still face months of data protection, safeguarding, legal, communications and trust issues. A university can bring platforms back online and still face questions about research exposure, student privacy and third-party risk. A college can resume teaching and still be dealing with identity theft risk and regulatory reporting. The attacker knows this, so the ransom demand is not only priced against the cost of IT recovery, it is priced against this inherent institutional anxiety.
The real issue is structural exposure
The education sector is frequently targeted because it has become structurally exposed to modern extortion due to a number of factors:
High-value data relating to students, staff, families, research and institutional operations.
Open and distributed environments that are hard to secure with traditional perimeter thinking.
Constrained security resources compared with the scale and complexity of the operating model.
Heavy dependence on third-party platforms that can create sector-wide blast radius.
Operational pressure points such as exams, enrolment, payroll, admissions and graduations..
Complex identity relationships across students, staff, faculties, parents, alumni, suppliers, researchers and partners.
Reputational sensitivity that gives attackers additional leverage.
This is why education remains attractive even when individual attack volumes fluctuate. Comparitech reported that ransomware gangs claimed 251 attacks on schools, universities and other educational institutions in 2025, broadly similar to 2024, but with more records breached than the previous year.
That should make leaders cautious about celebrating any short-term reduction in attack counts. A small number of successful attacks against the right platforms can create greater harm than a larger number of isolated incidents. The threat is not just more attacks, it is more leverage per attack.
The board-level question
For governors, trustees, boards and executive teams, the question is not simply: “Are we doing cyber security?” Most educational establishments are doing something, and many are doing a lot. The better question to ask is:
“Have we understood why our institution is valuable to an attacker, where they would create maximum pressure and which systems, identities, data stores and third parties would determine whether we could keep teaching, assessing, safeguarding and operating during a destructive cyberattack?”
Education leaders do not need to become cyber specialists, but they do need to understand that ransomware is no longer just an IT outage, it is an attack on institutional continuity, trust and decision-making.
That is where the next article will focus: not on the breach, but on the messy operational reality after the breach. The identity systems that cannot be trusted, the backups that exist but have not been tested for cyber recovery, the third parties that are needed but not integrated into the plan, the foundational critical services that were never prioritised, the communications channels that disappear at the moment they are needed.
In ransomware, being targeted is not the worst outcome, being unable to recover with confidence is.
