Ransomware attacks against schools and universities held relatively steady in 2025, but the scale of data exposure rose sharply, driven in part by third-party software vulnerabilities and a handful of outsized higher education breaches.
According to U.K.-based technology research company Comparitech’s latest education ransomware roundup, ransomware gangs globally claimed 251 attacks on educational institutions in 2025, just a few more than 2024’s 247. Of those claims, 94 have been confirmed by targeted organizations.
Though the number of attacks remained stagnant, the impact grew. Across confirmed attacks in 2025, 3.9 million records are known to have been exposed, a 27 percent increase over the 3.1 million of the previous year. Rebecca Moody, head of data research at Comparitech, said the breach totals are likely to rise further as additional disclosures are filed.
“A lot of the figures I have for breaches from 2025 are from the first half of the year, because we’re still waiting for data breach reports to come through for some of the later attacks,” she said. “It’s the breach figures that are going to rise, probably quite a bit more in the coming months.”
HIGHER ED DRIVES RECORD EXPOSURE
While K-12 schools continued to account for the majority of attacks — 74 percent of 2025 incidents and 72 percent in 2024 — higher ed bore the brunt of record exposure. In 2024, K-12 institutions saw 1.1 million records breached while higher-ed institutions saw 1.9 million. In 2025, that gap widened significantly. In the U.S., K-12 attacks breached 175,000 records compared to 3.7 million for higher ed, Moody shared in an email to the Center for Digital Education.Comparitech’s report attributed the difference in 2025 to a small number of large breaches linked to avulnerability in Oracle’s E-Business Suite softwarein August. The ransomware group CL0P exploited a flaw unknown to the developers, also called a zero-day vulnerability, leading to confirmed breaches at five institutions.
“The big distinguishing factor for 2025 is that a lot of the breaches that we saw are from these third-party attacks,” Moody said in an interview with CDE. “It’s making it harder for schools, effectively, because they’ve not only got to worry about their own systems, but they’ve also got to worry about the third-party systems that they’re employing.”
The Oracle exploit accounted for the top three cyber attacks on the higher-ed sector last year. It impacted 3.5 million records at the University of Phoenix, nearly 100,000 at Dartmouth College and 46,000 at the University of Pennsylvania. In contrast, the biggest breach of 2024 affected less than half as many — a hit on Texas Tech University Health Sciences Centers impacted 1,465,000 records, according to Moody.
“It doesn’t matter whether it’s Harvard or a little school district in the middle of nowhere,” she said. “If they’re using that software, they’re vulnerable to that target.”
K-12 REMAINS MOST FREQUENT TARGET
In the U.S. last year, K-12 ransomware attacks outpaced higher-ed attacks by nearly three times. Higher-ed breaches numbered 34 to K-12’s 96, Moody said in an email.
Some of the year’s largest K-12 breaches were attributed to the ransomware group Interlock, including an attack on Cherokee County School District in Georgia affecting 46,000 records. Interlock’s presence in education has grown year over year. The group led two attacks in 2024, compared with 17 in 2025, Moody shared in an email.
“Interlock are clearly targeting U.S. schools and have been successful in stealing quite a lot of data from these school districts,” Moody said.
RANSOMS DECLINE
The average ransom demand in the education sector fell 33 percent from 2024 to 2025, signaling a shift in strategy from cyber criminals. The average ransom demand in 2025 was $464,000, down from $694,000 the year previous.
“The lower the ransom, the higher the likelihood it’s going to get paid, especially when you think about schools and health-care companies whose budgets are really constrained,” Moody said.
Smaller demands may encourage negotiation, she said, whereas large, multimillion-dollar sums may be dismissed outright. Additionally, groups are executing more attacks, limiting the need for a big payout on each one.
At the same time, for some groups, the real value lies in the data itself, Moody said.
“If they’ve encrypted systems, they can demand a ransom for that, and then they’ve also got the data that they can hold for ransom,” she said. “Equally, if they don’t get ransom for either, they have the data that they can then sell on the dark web. So it’s a win-win for them.”
BE OPEN AND COVER THE BASICS
Beyond the numbers, Moody said cultural factors still shape how schools respond to and discuss ransomware incidents.
“Ransomware has always been a bit of a taboo,” she said. “There’s still this avoidance of saying the word.”
While some organizations feel it puts a target on their back if they share that they suffered an attack, Moody argued that more open conversations and awareness can help institutions better prepare.
“It helps other companies and schools,” she said. “They start to think, ‘OK, that’s happened to them. This could happen to us. Let’s think about how we can do this, that and the other.’”
For school administrators, Moody said preparation often starts with fundamentals: promptly updating software to patch known vulnerabilities, ensuring third-party vendors meet security standards, and providing regular training to staff.
