Cyber attackers seem to be targeting the education sector a lot more these days. Research from Quorum Cyber logged 425 incidents across 67 countries between November 2024 and October 2025, compared with 260 cases in the previous twelve month period – that is an entire 63% increase.
The data shows that attackers place high value on what universities store and produce. Academic institutions hold research in artificial intelligence, quantum computing and advanced materials, which attracts attention from nation state groups seeking strategic advantage. Criminal networks also see an opportunity to profit from stolen data and ransom payments, with Cl0p issuing average requests above $11m.
The way universities operate also makes them appealing targets. Open networks, large student populations and constant collaboration with external partners create conditions that are harder to secure than closed corporate systems. The Quorum Cyber report explains that these environments create a large attack surface, especially where older systems and hybrid learning tools are in use.
Ambrose Neville, Head of Information Security at Queen Mary University of London, explained the situation in practical terms. He said: “Universities are increasingly targeted both for the data they hold and the very diverse mixture of workloads and technologies. We’ve observed attacks designed to interrupt teaching, research and day-to-day operations.”
How Are These Attacks Carried Out?
Attack methods now depend on human behaviour more than ever before. Phishing accounted for 34% of ransomware incidents in the Quorum Cyber data and phishing as a root cause rose by 96% during 2025. Stolen credentials also became more common, giving attackers a way into systems without setting off early warnings.
Deception now looks a lot like everyday communication used across universities, which makes these attacks harder to spot. Emails, login pages and phone calls are designed to look familiar and trustworthy, increasing the chance that users will respond. The report explains that “social engineering, the practice of manipulating people through the manipulation of trust, has been at the centre of many high-profile attacks throughout 2025”.
AI makes all of these tactics even more complex because attackers can generate content to convince targets and automate a lot of their attacks with a lot less effort. One example in the report shows a Chinese backed group using AI agents to carry out up to 90% of an intrusion, reducing the need for manual involvement.
More from News
- Experts Share: How Does The Tech World Feel About Apple’s New CEO
- What Do The April 2026 ONS Market Figures Mean For UK Businesses?
- FinanceWire And Symex Global Partner To Boost PR And IR Reach For Euronext Paris Companies
- Could You Be Answering A Normal Call When It’s Actually A Deepfake?
- Do People Trust AI More Than They Trust Humans?
- Power Costs Are Causing 1 In 5 UK Firms To Move Overseas
- What Will Happen If EU Regulators Win At Getting Google To Share Its Data?
- Uber Eats Makes Influencers Central To Its UK Growth Strategy
Ransomware groups also take advantage of predictable academic cycles. Busy enrolment periods and exam seasons create pressure on systems and users, which increases the likelihood of mistakes. Jack Alexander, Senior Threat Intelligence Analyst at Quorum Cyber, said: “In many cases, adversaries are exploiting known vulnerabilities, exposed credentials or predictable operational patterns.”
Technical weaknesses also continue to open doors and it was reported that vulnerability disclosures passed 35,000 in 2025, a 21% increase, which makes system updates harder to manage across large institutions. Attackers often combine these weaknesses with stolen credentials to gain access and expand activity inside networks.
What Does That Mean For Students And Institutions?
The effects of these attacks extend into everyday university life. Many incidents now aim to disrupt teaching and operations, and this has become more visible across the sector. UK data shows a fivefold increase in DDoS incidents, which can interrupt online learning platforms, exams and internal services.
Government data shows how common these incidents have become across higher education. The UK Cyber Security Breaches Survey 2025 found that 91% of higher education institutions reported a breach or attack in the past year and 30% experienced attacks at least weekly. Education institutions were also more likely than businesses to face impersonation attacks/malware and DDoS activity.
Disruption affects both staff and students in in many ways. Teaching can pause without warning, research projects can stall and administrative systems can fail during critical periods. Neville said attacks are now “designed to interrupt teaching, research and day-to-day operations,” which shows how disruption has become a primary goal.
Long term effects can be difficult to repair. Education institutions may face lower ransom requests than sectors such as finance, yet the loss of research data or intellectual property and in turn, trust, can have lasting consequences. The Quorum Cyber report shows that attackers place increasing value on data that can be stolen and used for extortion.
Jack Alexander summarised the situation with an accurate description of the threat environment. He said, “The education sector is now dealing with a convergence of threats: nation-state actors seeking strategic advantage, hacktivists responding to geopolitical events and cybercriminal groups pursuing financial gain.”
