Schools across the Australian state of Victoria were caught up in a cyber attack last week that saw every school in the state impacted, and last month, Monroe University in New York experienced a breach that compromised the data of more than 320,000 individuals – but why schools?
What makes them such an attractive target for cyber criminals?
“Universities are attractive targets because they combine high-value data with structurally weak defences,” Rapid7’s Christiaan Beek told Cyber Daily.
“Threat actors know that universities hold vast amounts of sensitive information like student records, financial data, health data, and valuable research, yet they often operate with limited security budgets, legacy systems, and highly decentralised IT environments.”
Another complicating factor is open design – universities, in particular, and many other places of learning are open as a feature, with thousands of users regularly logging in and connecting their devices, either onsite or remotely.
The need for collaboration with external partners can also create larger attack surfaces, which Beek said are “difficult to lock down without disrupting academic missions”. In addition, hackers know the perfect times to hide their attacks among regular traffic.
“Looking at the last half of 2025, we saw the frequency of attacks against the education sector spike in August and then again in November and December, with the low point being October,” Beek said.
“The times in which attacks were most prevalent coincide with university timelines for both incoming and outgoing faculty and students.”
The possibility of walking away with research data can be a particular drawcard for criminals.
“Research, especially medical and scientific research, significantly increases cyber risk. These datasets are often high-value, irreplaceable, and time-sensitive, making them ideal targets for extortion,” Beek said.
“They’re also widely shared across collaborators, labs, and external partners, which expands the attack surface and increases the likelihood of credential abuse, misconfigurations, or insider misuse.”
There’s often an attractive crossover between the education and healthcare sectors, leading some threat actors to be more active in both sectors.
“Qilin, SafePay, and INC Ransom have been the most active in attacking the education sector over the last six months. We’ve observed these same groups attacking the healthcare sector, so it stands to reason that we would see them in education as well,” Beel said.
“When education and healthcare data intersect, as we’ve seen with recent university-affiliated research centres, the risk increases even further.”
Given the fact that ransomware operators like Qilin & co are not going away any time soon and will likely keep targeting schools and universities, Beek has some essential advice for anyone involved in keeping their campus secure.
“Start with mandatory MFA everywhere, especially for VPNs, email, and cloud services. Pair that with least-privilege access, shorter credential lifetimes, and better monitoring for anomalous behaviour,” Beek said.
“Finally, phishing resilience improves when training is continuous and realistic, not annual, and when users are backed by technical controls that limit blast radius when mistakes happen.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.