SOCRadar® Cyber Intelligence Inc. | Education Threat Landscape Report: Threat Posts 61% Increased


Feb 24, 2023
5 Mins Read

Education Threat Landscape Report: Threat Posts 61% Increased

The education industry is experiencing a digital transformation process as technology becomes more prevalent in the world. This shift is particularly relevant for students, parents, teachers, administrators, and consultants who make up the diverse user base of the industry. However, this increased reliance on technology also brings about cybersecurity concerns.

According to the K-12 Cybersecurity Resource Center, over 1,300 publicly disclosed cyber incidents affected US school districts from 2016 to the end of 2021, indicating an increase in cyberattacks on educational institutions. This trend emphasizes the importance of cybersecurity in the education industry, especially during the COVID-19 pandemic, which has led to an increased demand for distance education and online teaching systems. 

In response to this heightened threat, K-12 education institutions must protect themselves by being informed about all possible cyberattack scenarios, their attack surface, and security posture. 

SOCRadar published the “Education Threat Landscape Report,” using its enriched intelligence to assist educational institutions in staying ahead of the curve and protecting themselves against looming cyber threats.

Cyberattacks Against Education Industry are Rising 

In both 2021-2022, public school districts in the United States have been a popular target for threat actors, posing a threat to nearly 55 million students across approximately 13,800 districts. 

K-12 districts are a prime target for threat actors due to the sensitive nature of the data, making it easier to demand a ransom from the school or district administration. SOCRadar’s DarkMirror identified 24 ransomware incidents targeting K-12 organizations in the US, with Vice Society being the most active among 12 unique ransomware gangs. 

Additionally, SOCRadar identified four main APT groups targeting US educational organizations, all China-backed. You can find these groups in the report.

1,100 phishing attempts detected in US education industry in 2022 (Source: SOCRadar) 
1,100 phishing attempts detected in US education industry in 2022 (Source: SOCRadar) 

The education industry’s cybersecurity situation is critical, with the number of ransomware attacks on the rise. SOCRadar’s dark web analysts detected a 234% increase in such attacks in 2022 compared to 2021. 

US Laws for Protecting Student Data Privacy

There are several laws aimed at protecting the privacy of student data. These include the Family Educational Rights and Privacy Act (FERPA), the Children’s Internet Protection Act (CIPA), the Protection of Pupil Rights Amendment (PPRA), the Individuals with Disabilities Education Act (IDEA), and state privacy laws.

For example, FERPA is a federal law protecting student education records’ privacy. It regulates what data schools can collect, store, and share with or without students, parents, or guardians’ consent. 

Experts suggest that given the long retention of student data, education institutions should take all possible measures to protect it. However, school IT staff and leadership are typically not personally responsible for data breaches, and FERPA does not allow students or their guardians to sue schools. While schools have previously only faced the risk of losing funding due to FERPA violations, the K-12 Cybersecurity Act may now result in additional consequences for cyber incidents. 

Government’s Response to Rising Cyberattacks on US K-12 Schools

Despite legal regulations, K-12 schools are increasingly targeted by cyberattacks, including data breaches and ransomware attacks.

Threat actors target these districts because they can pressure the school administration and demand a ransom since the data is critical. The federal government passed the Infrastructure Investment and Jobs Act and the K-12 Cybersecurity Act to combat these attacks. The former act allocates $1 billion to assist states and school districts in fighting against cyberattacks.

Education industry-related posts on underground forums increased by 61% in 2022. (Source: SOCRadar)
Education industry-related posts on underground forums increased by 61% in 2022. (Source: SOCRadar)

Our report provides recommendations to minimize the effects of cyber incidents on school districts. 

Recent Cyberattacks Targeting Education Industry 

SOCRadar Education Threat Landscape Report details cyberattacks on educational institutions and trends among attackers. Attacks that SOCRadar found on leak sites and the dark web are included in a section; you can find some of these attacks below. 


The HiveLeaks ransomware group leaked Norman Public Schools data on its leak site, as detected by SOCRadar in November 2022. The school district’s data was leaked again in December 2022 on a hacker forum monitored by SOCRadar.

hive ransomware attack on education industry

MISD Database on Sale 

Threat actors posted a new alleged database sale for Mansfield Independent School District in a hacker forum monitored by SOCRadar in October 2022. The Hive group had also targeted this district.

mansfield independent school district attack

Royal Ransomware 

Adams-Friendship Area School District was announced as a new victim in December 2022 on the Royal ransomware group website, as monitored by SOCRadar.

royal ransomware adams-friendship area school district attack

SOCRadar provides users with such observations on Dark Web News, where you can find posts of malicious activity shared in hacker channels. You can search for threat posts by filtering country, category, industry, and other tags.

You can find more posts about the education industry by threat actors on SOCRadar Dark Web News.
You can find more posts about the education industry by threat actors on SOCRadar Dark Web News.

Read the Education Threat Landscape Report for further insights into the education industry.