The education sector had more cyberattacks per organization than any other industry in 2024 with incidents rising 75% over the previous year.Disclosure 1 In a study by Comparitech, ransomware attacks directed at schools, colleges, and universities increased 23% over the previous year.Disclosure 2
While attacks dipped several years ago as cybercrime groups in Ukraine and Russia left regions impacted by the war, now that they’ve relocated, cybercrime operations have escalated. Most experts expect education-related cyberattacks to continue increasing in the coming years.
In addition to the disruption they cause, ransomware attacks have a staggering financial impact. The average ransom demand was $1.6 million during the first half of 2025.Disclosure 2 According to Comparitech’s 2024 Year End report on ransomware attacks, educational institutions experienced 116 confirmed attacks, affecting 1.8 million records with an average ransom demand of $847,000,Disclosure 3 not including costs for remediation, data replacement, and other associated expenses.
The education sector attracts cybercriminals.
The education sector appeals to cybercriminals due to its abundance of personal data on students, faculty, and staff, as well as valuable intellectual property developed at research universities and colleges. To compound matters, limited budgets at many educational institutions prevent them from making necessary upgrades to IT infrastructures and cybersecurity defense systems, creating an even more compelling reason for cybercriminals to target these institutions.
Both K-12 and higher education institutions have broad exposure to cyber threats, with myriad people outside these organizations like students accessing their systems and networks. The continued proliferation of online learning and greater online presence translates to more cyber-attack exposure, particularly with the use of third-party platforms, software, and cloud storage and sharing systems.
Cyber protection defensive measures don’t get the attention or funding that the growing threat warrants. While IT professionals typically understand the high risks of cyber threats, limited financial resources for technology security and compliance are often allocated first to complying with tightening CIPA, COPPA, and FERPA regulations protecting students’ personal information.
With so much at stake, education leaders should understand the threats, identify where they’re most vulnerable to attacks, shore up defenses, and develop a response plan for when, not if, a breach occurs. .
The methods and motives driving cyberattacks.
Threat actors are more likely to target the technology that educational institutions rely on than the individuals who use them. Cybercriminals often employ a “spray and pray” campaign, releasing malware across a broad spectrum of industries and organizations, and then counting on the numerous attacks to find a vulnerability that will gain them easy entry.
Hackers then focus on the organizations with the greatest potential for a large payout. For this reason, private colleges with large endowments present a natural target, but larger public institutions can be attractive as well. Attackers often begin looking at an organization’s financial statements and indications of their cyber insurance policy coverage limits to uncover sources of funds that could be used to pay ransom.
While cybercriminals use a variety of methods to achieve their goals, most attacks on schools and higher education organizations tend to fall into a few broad categories:
- Ransomware strikes comprise the largest volume of attacks against education organizations. Hackers gain access to a district or school’s computer network, encrypt data, devices, or systems, and lock staff (and sometimes other users) out until the organization pays a ransom. These attacks can involve the copying or theft of sensitive data, but often the main goal is to severely disrupt operations by holding critically important data or systems hostage to force payment.
- Data breaches pose an increasingly expensive threat, with each incident in education and learning costing an average of $3.8 million in 2025.Disclosure 4 Cybercriminals love social media. They commonly use social engineering tactics like phishing and pretexting to gain access to social security numbers, birth dates, credit card numbers, financial data, intellectual property, and the institution itself—all of which they can ransom or sell for criminal activity.
- Miscellaneous errors are a growing vulnerability for the education sector. Employee-related mistakes such as sending emails to the wrong recipients, unintentionally publishing personal or confidential data, and misconfiguring or failing to update network systems with the latest anti-malware software can provide an opening for data breaches, with or without an attack.
Smaller educational institutions that tend to have more limited IT budgets are sometimes forced to rely on older hardware and software. This “end of life” technology may not be supported by the developer or manufacturer and could lack crucial security patches and updates to fend off attacks. These outdated systems and applications make inviting targets for cybercriminals and could dramatically increase the risk of a successful cyberattack.
The table below highlights a few recent, high-profile incidents, to illustrate the breadth and scope of the consequences.
Recent education cybersecurity incidents
PowerSchool Breach in December 2024Disclosure 5
- PowerSchool provides cloud-based software solution tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance at more than 6,000 K-12 schools and districts across the United States and Canada.
- The data breach affected an estimated 62 million students and 10 million teachers.
- The company paid $2.85 million in Bitcoin ransom.Disclosure 6
Toronto District School Board - Canada’s largest school boardDisclosure 7
- Following the PowerSchool breach, in December 2024, cyber attackers began to make threats to the school board directly, despite assurances from PowerSchool that all records would be destroyed following its ransom payment.
- The breach exposed sensitive student information dating back to 1985, including:
- Full student names
- Birth dates
- Health card numbers
- Detailed medical records
- Home addresses
- Parent/guardian contact details
- Social (Security) Insurance numbers and financial data were not breached.
- Other major Canadian educational institutions have reported similar extortion attempts, including:
- Peel District School Board
- Calgary Board of Education
- Several other school boards across the country.
University of Oklahoma attack in January 2025Disclosure 8
- A ransom attacker named Fog stated they had access to 91 MB consisting of employee contacts, financial data, and contact phones and emails of state senators.
- University was able to quickly isolate certain systems for security reinforcement.
Lee University in March 2024Disclosure 9
- Ransomware gang Medusa claims responsibility for an attack that stole nearly 388 GB of data. Medusa demanded $1 million in ransom.
- A breach notice was sent to approximately 137,000 individuals.
- Compromised data included:
- Names
- Social Security numbers
- Government-issued ID numbers (e.g., driver’s license, passport)
- Financial info including credit and debit card numbers
- Medical info
Between January 2024 - April 2025, there were 21 additional college and university security breaches. In this same time frame, at least 78 schools or school districts had data breaches. The largest of these was Chicago Public Schools, impacting 700,000 people.Disclosure 10
Identify your vulnerabilities and shore up defenses.
Given the pervasive threat, and the cost and disruption posed by cyberattacks, foresighted educational leaders should adopt a vigilant stance that prioritizes stringent security, along with thorough planning, to minimize their risk.
Start by identifying the organization’s vulnerabilities. Consider these fundamental questions to help formulate a comprehensive security plan:
- What type of data do we collect and store?
- How and where do we store it? (i.e., Cloud-based, on servers, on-premises)
- Do we send sensitive data in email attachments?
- Do we have a file server containing statements that could require notifying affected parties or risk legal exposure?
- How do these same questions apply to our technology and software vendors? How secure are their defenses?
When it comes to cybersecurity, the playing field is unbalanced; the attacker has an inherent advantage. Cybercriminals can use an endless number of approaches to achieve a single success, but to defend against every vulnerability, every time, your security protocols must always operate at 100% effectiveness.
Actions to defend against cybersecurity threats
Vulnerabilities are plentiful, but you can mount a solid defense against these threats using a layered approach:
- Updated and patched software and applications
- Strong identity access policies and procedures
- Comprehensive network and data monitoring
- Required multifactor authentication
- Separate systems that insulate sensitive data from the rest of the network
- Vigilant scanning to detect and respond to network threats
- Current onsite and offsite backups to allow data and system restoration
- Segmented network structure that limits lateral movement within the system
- Continual network user education and security awareness training
- Robust incident response and operational continuity plans
- Frequent vulnerability and response plan testing
- Specialized solutions to maintain data sets such as HR or health system management
- Third-party providers with awareness of legal and compliance requirements
- Responsible platform providers that assume some of the risk for cyber incidents
Formulate a strategy to mitigate cyber liabilities.
As cyberattacks on educational systems have become more frequent and costly, cyber liability insurance, or cyber risk insurance, has emerged as a key component of comprehensive cyber security plans. This insurance helps protect organizations from the steep financial costs and legal liabilities associated with cyber incidents. A cyber insurance policy can mitigate the risk of loss from data breaches, data theft, ransomware attacks, operational interruptions, and liability resulting from lawsuits, as well as related regulatory fines and penalties.
A company’s outcome from a security assessment, along with the annual policy limits being purchased, will often set the terms for the breadth of coverage, levels of self-insured retentions, waiting periods, and annual premium. Cyber insurers often require dual-factor authentication, up-to-date firewalls, and robust penetration and vulnerability testing. Utilizing best practices can help improve your cyber insurance cost and coverage, in much the same way that homeowner’s insurance offers lower premium costs for installing burglar alarms, sprinklers, and smoke detectors.
Make sure you confirm the firms you plan to engage in your incident response efforts with your insurance provider. Firms not approved by your provider may not be covered for their expenses.
Once insured, you and your insurance carrier share an interest in reducing the risk of loss. Some carriers offer valuable prevention and preparedness programs and tools to help you defend against cyber-attacks. Some may also offer premium reductions to organizations that utilize approved third-party providers or specified platforms and solutions to reduce risk.
Establish your game plan before an attack happens.
Even the strongest defenses aren’t impenetrable, so it’s important to prepare. How should you respond if you are attacked? Knowing what to do ahead of time will help you limit the damage and recover more quickly.
Begin by establishing a cross-functional incident response team to develop and maintain a comprehensive response plan. Your incident response team should include internal personnel, with representation from information security staff and executive management, as well as external members, such as a cyber incident response firm, data forensics experts, data privacy legal counsel, the organization’s cyber insurance broker, and both internal and external communications/public relations professionals.
The team’s first task is to choose an individual to lead the response efforts and develop an incident response plan. The team should then test the plan periodically under various incident scenarios. It’s also important to revisit and update your plan regularly to reflect emerging, real-world threats and evolving industry best practices. Also, take the key step of making your plan available offline, as a cyberattack may lock you out of your systems.
The next step is conducting a cyber-attack drill that provides team members an opportunity to practice their response steps, identifying potential problems and improving familiarity with how the response unfolds. This kind of “dry run” can improve the speed and performance of implementing your plan and help reduce stress levels after an actual incident. Avoid responding on the fly, which often results in higher incident costs, excessive legal liability, and additional reputational harm.
Understand your incident to-do list.
After a cyber incident, immediate action is imperative. Your plan will reflect unique organizational factors and the nature of the incident, but should include most or all these key actions:Disclosure 11
- If your experts suspect your company is undergoing a significant cyberattack, consult your insurance broker to discuss insurance policy incident notice requirements. Your insurance broker can work with your cyber insurance carrier to outline the proper first steps and the optimal process to engage carrier-approved vendors who have the proper expertise and charge pre-approved rates. This step ensures that you’re adhering to policy terms and conditions and that you receive your full policy benefits.
- Activate your incident response team and make sure that the persons designated with oversight duties are onboard. Plan for back-up personnel for key positions, as key parties may be on vacation or otherwise unavailable when an event happens.
- Most companies prefer to appoint approved breach counsel at the onset to determine appropriate actions that fulfill legal obligations, manage potential liabilities, and prepare for the possibility of future litigation or regulatory investigation. Breach counsel can also negotiate terms on vendor engagements and instruct vendors in how to prepare reports and invoices for carrier reimbursement and preserve attorney/client privilege in anticipation of potential litigation.
- Identify the threat and try to isolate affected systems to prevent further damage.
- Immediately resolve the vulnerability that allowed the incident, if possible. Do not discard evidence which could be used in prosecution of threat actors and/or contributors to the incident.
- Conduct a thorough damage assessment. Implement the appropriate response plan.
- Formulate an action plan that addresses the most urgent priorities: mitigating the impact of the incident, repairing systems, restoring data, and strengthening security.
- Work closely with your forensic investigation firm and other incident response experts to assist with the negotiation process and prepare for secure and lawful extortion payment (if necessary) along with assistance in restoring full operational status across the organization.
- Preserve and document evidence related to the incident so it will be available for future prosecution or law enforcement purposes. In your haste to restore data, take care not to destroy evidence that could help identify the attackers.
- Report the incident to all appropriate law enforcement agencies. They may be able to assist in the investigation.
- Engage an insurer-approved public relations and communications team to communicate the incident to internal and public-facing audiences. Offer as much transparency as experts advise and provide updates as you learn more about the incident and its impact.
- Communicate with regulatory compliance authorities as applicable.
- Verify and comply with legal requirements to notify those affected by the incident and offer credit monitoring and/or identity theft restoration services as approved by your insurer and advised by your breach counsel.
Rely on a strong partner to help you prevent—and survive—a cyberattack.
Manage your risk of attack. Cybersecurity requires significant planning and attention, but you don’t have to face it alone. Truist’s education industry consultants can help you assemble the resources to prepare for cybersecurity threats. Talk to your Truist relationship manager about how we can help. Visit us at Truist.com/Education.