Ransomware Attacks on Education Sector Surge in 2025, U.S. Hit Hardest
Ransomware attacks on educational institutions worldwide reached 251 incidents in 2025, a slight increase from the previous year, with the U.S. bearing the brunt of the assaults, according to a report by Comparitech. Of the total attacks, 130 targeted U.S. schools, accounting for over half of global activity in the sector. The U.K. (12 attacks), France (9), Brazil (9), and Japan (9) followed as the next most affected countries.
While U.S. attacks declined marginally, the scale of data breaches grew significantly. Cybercriminals stole 3.89 million records from American institutions over 98% of all reported stolen education sector data including personal and financial information. Globally, breached records rose by 27%, though the true number of affected individuals may be higher, as the report only includes data from government sources.
Cl0p, a Russian ransomware syndicate, emerged as a dominant threat, responsible for five confirmed attacks that compromised 3.6 million records over 90% of Comparitech’s confirmed breaches. The group exploited a zero-day vulnerability in Oracle’s E-Business Suite, allowing unauthorized access to sensitive data. Among its victims:
- University of Phoenix (August 2025) – Nearly 3.5 million records exposed, the largest breach in the sector this year.
- Dartmouth College (99,596 records) and University of Pennsylvania (46,491 records) – Among the top three most severe incidents.
- Wits University (South Africa) – Part of Cl0p’s global campaign.
In 2023, Cl0p also breached nearly 900 colleges by infiltrating a third-party service used by the National Student Clearinghouse and TIAA, a retirement financial service for faculty.
Other major U.S. incidents included:
- Cherokee County School District (Georgia) – Over 46,000 individuals affected, with 624GB of data stolen.
- Harvard University (October 2025) – 1.3 terabytes of archive files exposed, per SecurityWeek.
The report highlights the growing sophistication of ransomware gangs and the vulnerabilities in education sector data systems, with third-party platforms increasingly targeted as entry points.
TIAA cybersecurity rating report: https://www.rankiteo.com/company/tiaa
"id": "TIA1773398169",
"linkid": "tiaa",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3.5 million records exposed',
'industry': 'Education',
'location': 'U.S.',
'name': 'University of Phoenix',
'type': 'Educational Institution'},
{'customers_affected': '99,596 records exposed',
'industry': 'Education',
'location': 'U.S.',
'name': 'Dartmouth College',
'type': 'Educational Institution'},
{'customers_affected': '46,491 records exposed',
'industry': 'Education',
'location': 'U.S.',
'name': 'University of Pennsylvania',
'type': 'Educational Institution'},
{'industry': 'Education',
'location': 'South Africa',
'name': 'Wits University',
'type': 'Educational Institution'},
{'customers_affected': '46,000 individuals affected, '
'624GB of data stolen',
'industry': 'Education',
'location': 'Georgia, U.S.',
'name': 'Cherokee County School District',
'type': 'Educational Institution'},
{'customers_affected': '1.3 terabytes of archive files '
'exposed',
'industry': 'Education',
'location': 'U.S.',
'name': 'Harvard University',
'type': 'Educational Institution'},
{'customers_affected': 'Nearly 900 colleges (2023 '
'breach)',
'industry': 'Education Services',
'location': 'U.S.',
'name': 'National Student Clearinghouse',
'type': 'Third-Party Service Provider'},
{'customers_affected': 'Nearly 900 colleges (2023 '
'breach)',
'industry': 'Financial Services',
'location': 'U.S.',
'name': 'TIAA',
'type': 'Third-Party Financial Service Provider'}],
'attack_vector': 'Zero-day vulnerability in Oracle’s E-Business Suite',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': ['Archive files (Harvard University)'],
'number_of_records_exposed': '3.89 million (U.S.), 3.6 '
'million (Cl0p attacks globally)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Financial information']},
'date_publicly_disclosed': '2025',
'description': 'Ransomware attacks on educational institutions worldwide '
'reached 251 incidents in 2025, with the U.S. bearing the '
'brunt of the assaults. Over 3.89 million records were stolen '
'from American institutions, including personal and financial '
'information. Cl0p, a Russian ransomware syndicate, was '
'responsible for five confirmed attacks compromising 3.6 '
'million records by exploiting a zero-day vulnerability in '
'Oracle’s E-Business Suite.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '3.89 million records (U.S.), 3.6 million '
'records (Cl0p attacks globally)',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'initial_access_broker': {'entry_point': 'Third-party service providers '
'(e.g., National Student '
'Clearinghouse, TIAA)'},
'lessons_learned': 'Growing sophistication of ransomware gangs and '
'vulnerabilities in education sector data systems, with '
'third-party platforms increasingly targeted as entry '
'points.',
'motivation': 'Financial gain, data exfiltration',
'post_incident_analysis': {'root_causes': 'Exploitation of zero-day '
'vulnerability in Oracle’s '
'E-Business Suite, third-party '
'service vulnerabilities'},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Cl0p'},
'references': [{'source': 'Comparitech'}, {'source': 'SecurityWeek'}],
'threat_actor': 'Cl0p (Russian ransomware syndicate)',
'title': 'Ransomware Attacks on Education Sector Surge in 2025, U.S. Hit '
'Hardest',
'type': 'Ransomware',
'vulnerability_exploited': 'Zero-day vulnerability in Oracle’s E-Business '
'Suite'}