Schools, colleges, and universities store massive amounts of personal information for students, parents, and employees. This means that, while they may not make the news as much as other breaches, schools, colleges, and universities are under constant attack by modern threat actors.
According to Verizon’s 2024 Data Breach Investigations Report, the educational services sector experienced 1,780 incidents in 2023, with 1,537 involving confirmed data disclosure. This is a 258% year-over-year increase in the number of incidents and a staggering 545% increase in the amount of data disclosure. Many these can likely be attributed to the MOVEit transfer vulnerability, with the National Student Clearinghouse recently revealing that 900 U.S. schools were hit by this exploit.
Unfortunately, the sharp spike in incidents appears to be the only thing that’s changed for this sector in the past few years. Of those attacks, 68% were from external sources, meaning ransomware continues to rule as an external threat, while uninformed and overworked insiders continue to lead the threat risk from inside the schoolhouse, with loss, misclassification, and misdelivery errors accounting for 56% of internal threats.
Additionally, 98% of incidents were motivated by money, meaning schools, colleges, and universities need to have proactive protection in place to stop extortion attacks before they can start.
Proactive protection against cyber attack requires 24×7, real-time cybersecurity operations that can help educational services organisations monitor, detect, and respond to threats not only during the school day, but on weekends, holidays, and summer vacation. It also means having enough staffing, budget, and available hours to continuously monitor, analyse, prioritise, and manage vulnerabilities to ensure students, parents, employees, and staff — and their data — stay safe. For many institutions, this isn’t something that can be easily managed in-house.
Why School Cyber Attacks Happen
The education industry isn’t just in the business of teaching students, it’s also responsible for a lot of data, primarily personally identifiable information (PII), making these organisations a major target for threat actors.
Educational institutions contain PII for students, their parents or guardians, faculty and staff , and may also have student medical records or other valuable data stored within their network. Threat actors know that the encryption or exfiltration of this PII is emotionally fraught for victims, as it risks the exposure of the private information of children and families.
Threat actors are also well aware of the demands placed on faculty, staff, students and families, as well as the lack of available in-house security experts or budget to pay them, meaning that the chances of these overworked, overstressed, and overstretched users falling for a social engineering attack are far more likely.
Finally, as the COVID-19 pandemic forced schools, colleges, and universities to embrace hybrid learning, these institutions attack surfaces expanded quickly, often faster than the IT and security teams could keep up, meaning there are new avenues for exploitation that are often poorly protected or wholly unguarded.
Common Cyber Attacks Faced by Schools
According to research from the Multi-State Information Sharing and Analysis Centre (MSISAC) and the Cybersecurity and Infrastructure Security Agency (CISA), school cyber attacks fall into one of five major categories:
Data Breach
While not necessarily financially motivated on their own, data breaches involve the exfiltration and revelation of personally identifiable information of students, faculty, staff, families, and third-party vendors. This information can then be used to launch other cyber attacks like the ones below.
Ransomware
A ransomware attack can lock users out of a school’s entire environment, disrupting learning until systems can be restored. These attacks often lead to class cancellations, extensive remediation expenses, reputational damage, and lingering questions regarding an institution’s ability to repel subsequent attacks. And, since many modern ransomware attacks involve data exfiltration as well as encryption, there is a real risk of PII being leaked online whether or not a ransom is paid. What’s more, in the aftermath of a ransomware attack, leaders of educational institutions face scrutiny from faculty, students, and public officials
Business Email Compromise (BEC)
In a school BEC attack, a hacker gains control of an internal email account and uses that access for financial gain. Traditionally, after gaining access, the threat actor will send out fake emails requesting the transfer of funds from within the educational organization or from any number of the third-party vendors with which an educational institution does business.
Distributed Denial of Service (DDoS)
A DDoS attack consists of multiple compromised systems attacking a target on a network, such as a server or website, causing a denial-of-service error. This results in legitimate users being unable to access the network. DDoS attacks on educational institutions can result in significant losses to learning time, with key systems and resources being unavailable until IT and security teams can clean up the mess. When students and teachers can’t access their applications or data, it effectively cancels school, and becomes the cyber equivalent of a snow day – or several.
Invasion (online class and school meeting)
Invasion attacks are extremely disruptive to educational institutions utilising remote tools for everything from online learning to virtual PTA meetings. Hackers invade these unsecured class sessions and meetings to interrupt them with everything from hate speech to pornography.
Notable Cyber Attacks Against Schools and Colleges
Here’s an overview of recent attacks that landed schools, colleges, universities, and their business partners in the news for all the wrong reasons.
10. University of Manchester
Attack type: Ransomware
Location: Manchester, England
Cost: Not disclosed
People affected: More than 1.1 million
In June of 2023, a ransomware attack on the University of Manchester resulted in the exfiltration of PII for staff, alumni, and students, plus a 250GB data set that contained the health records of 1.1 million NHS patients. It appears the breach was the result of a VPN exploit, as the university removed access to their GlobalProtect VPN shortly after the incident occurred. The university had health records, including patient data of major trauma patients and terror attack victims, for research purposes.
9. University of Hertfordshire
Attack type: Unknown
Location: Hatfield, England
Cost: Not disclosed
People affected: Not disclosed
In April 2021, a cyber attack crippled the University of Hertfordshire, affecting all of the university’s computer systems, including cloud-based resources such as Office 365, Microsoft Teams, and Zoom. Most classes resumed five days after the attack and access to the university’s IT and cloud-based services was restored.
8. Howard University
Attack type: Ransomware
Location: Washington, D.C.
Cost: Not disclosed
People affected: Not disclosed
A ransomware attack forced Howard University to cancel online and hybrid classes in September of 2021. The university’s response included shutting down its campus Wi-Fi. Days after the attack, online and hybrid classes remained canceled, and the university’s Wi-Fi was still offline. In the aftermath, Howard’s IT department took steps to strengthen the university’s defences, including hiring additional professionals. Faculty and staff were required to reset their passwords and comply with complex password requirements. The university also upgraded its cloud-based security, deployed upgraded routers and connectors, and installed a new wireless network.
7. University of California, Los Angeles
Attack type: Ransomware
Location: Los Angeles, CA
Cost: Not disclosed
People affected: 300 organizations
In a December 2020 attack, hackers exploited a vulnerability in third-party software to insert ransomware and extract personal data from government agencies, businesses, and educational institutions, including the University of California. In late March 2021, the perpetrators leveraged the stolen personal data to engage in mass mailings and the posting of data online to blackmail individuals and companies into paying up.
In response, the university system created a webpage to address the needs and provide answers to those impacted by the hack. It also moved to a more secure file transfer solution, cooperated with the FBI to investigate, and engaged third-party security consultants to investigate the breach.
6. Finalsite
Attack type: Ransomware
Location: Glastonbury, CT
Cost: Not disclosed
People affected: 5,000 schools and colleges
A ransomware attack against Finalsite, a web-hosting service provider for the education sector, resulted in websites for approximately 5,000 schools and colleges going offline. The company was able to identify the attacker but declined to share their identity or how they compromised the company’s defences. Finalsite also refused to say whether the firm or its insurance company had paid a ransom. According to Finalsite, the attack did not compromise school data.
5. Broward County Public Schools
Attack type: Ransomware
Location: Broward County, FL
Cost: Not disclosed
People affected: approx. 50,000
An attack on March 7, 2021, exposed the personal information of approximately 50,000 students and employees of the Broward County public school system, including names, dates of birth, Social Security numbers, and healthcare-related information. The perpetrators demanded a ransom of $40 million to relinquish control of the school system’s data, which officials declined to pay. The district did not release details regarding the attack to protect “the integrity of our data security.”
4. Los Angeles Unified School District
Attack type: Ransomware
Location: Los Angeles, CA
Cost: Not disclosed
People affected: Not disclosed
The U.S’s second-largest school district was hit with a ransomware attack in early September 2023 that had the southern California collective dealing with a massive fall out. The Los Angeles Unified School District encompasses over 1,000 schools serving over 600,000 students and hackers made off with 500 GB of personal information on an untold number of those students, their parents, and the schools’ employees. Vice Society — a ransomware gang with a particular taste for attacking the education industry — later claimed responsibility for the breach and, after the school district refused to pay the ransom, dropped all 500 GB of data on the dark web in early October.
3. Illuminate Education
Attack type: Not disclosed
Location: New York City, NY
Cost: Not disclosed
People affected: 820,000
In January 2022, cybercriminals targeted the school management platform Illuminate Education and gained access to a database containing personal information on more than 820,000 current and former NYC students. The attack took the New York public school system’s online grading and attendance system offline for several weeks. In the aftermath of the attack, several government agencies were asked to investigate Illuminate Education’s response to the breach and whether it notified those whose data was compromised in compliance with the state’s breach notification laws. Officials also requested an audit of the company, including steps taken to improve its cybersecurity program.
2. Michigan State University
Attack type: NetWalker ransomware
Location: East Lansing, Michigan
Cost: $1 million
People affected: Not disclosed
A cyber attack involving NetWalker ransomware targeted Michigan State University in May 2020. A blame game followed. The university’s IT department alleged that attackers gained access when IT employees in the physics department failed to install a patch for a virtual private network (VPN). However, the department’s IT team said it was not to blame, indicating that it lacked resources and direction from the central IT department. Shortly after the breach became public knowledge, the university announced it would not pay the attacker’s ransom. In response to the attack, the university has centralized IT resources. It also instituted additional protections, including supporting VPNs via the university’s central IT department, employing multi-factor authentication, and restricting user access.
1. University of California, San Francisco
Attack type: NetWalker ransomware
Location: San Francisco, CA
Cost: $1.14 million
People affected: Not disclosed
In another NetWalker ransomware attack in June 2020 involving the University of California, cybercriminals managed to encrypt data stored on the San Francisco (UCSF) medical school’s servers. An anonymous tip to the BBC allowed journalists to observe the university’s ransom negotiations. The criminals agreed to accept $1,140,895 paid via 116.4 bitcoins when the negotiations concluded. In exchange, UCSF received decryption software to unlock its data.
How Educational Institutions Can Stay Protected from Cyber Attacks
Reduce Human Risk and Create a Security Conscious Workforce
Employees who aren’t well-trained in IT security take shortcuts to help them work more efficiently. They might share the same password for certain programmes or even leave passwords lying around on their desk. The best way to account for human error is to create a culture of security at work, supported by training and resources.
- Implement an ongoing schedule of training and education for all workers. Include updates on known attacks and information about best-in-class security procedures, such as multi-factor authentication (MFA) and password managers.
- Monitor IT processes for complexity. Keep ease-of-use in mind whenever you update or alter processes to avoid users turning to insecure shortcuts.
- Implement data usage controls that can block unsafe actions like uploading data to the web, sending emails to unauthorised addresses, or copying to external drives.
- Establish a password policy that requires users to implement strong passwords as well as one that mandates regular password changes and forbids written copies of passwords.
Train Staff on Breach Protocols
It’s vitally important to try to protect your networks from data breaches, but it’s also critical that your staff know what to do when a breach occurs. Employees should understand the sequence of steps to take following a breach, and IT staff should have the know-how to reinstate security systems as quickly as possible.
- Create a response team that’s always ready for action. In addition to IT staff, include legal, operational, HR, risk management, and PR personnel on the response team.
- In the event of a breach, first determine which systems were affected and what data was compromised. The response team’s job is to determine the extent of the breach so a full response can be put in place. As part of that response, make sure to notify relevant authorities and users.
- Change user passwords in terms of systems and software for any accounts possibly impacted.
- Fix any vulnerabilities. Analyse the attack and ensure that the security team addresses any vulnerabilities.
How Arctic Wolf Can Help
As the digital footprint of educational institutions expands to meet both face-to-face and remote learning needs, the threat posed by cybercriminals, particularly those who are adept at ransomware attacks, continues to grow.
Surviving a cyber attack requires access to customised security solutions with the ability to adapt as the needs of the organisation evolve, backed by a 24×7 team of experts who have eyes on glass and are always available.
A managed security operations provider can offer this to educational institutions, while also reducing or eliminating IT and security staff alert fatigue by contextualising alerts across the environment, so only truly actionable ones are elevated. A provider like Arctic Wolf takes things even further, helping to:
- Monitor environments 24×7 to detect and respond to cybersecurity threats
- Provide continual vulnerability assessments
- Partner with them to meet data security compliance obligations
- Identify threats targeting network or cloud applications
- Conduct cybersecurity awareness training for security teams and employees
Learn more about how Arctic Wolf helps schools, colleges, and universities protect their students, faculty, and infrastructure from increasingly sophisticated and determined hackers and cybercriminals. Discover the three cybersecurity gaps leaving your institution vulnerable. And explore how proactive security measures can translate into significant cost savings for educational institutions.
