Schools and universities across the globe experienced a sharp increase in attacks last year thanks to the combined threat from geopolitical tensions, ransomware and hacktivism, according to Quorum Cyber.
The security service provider’s 2026 Global Cyber Risk Outlook for Higher Education is compiled from FalconFeeds.io threat intelligence data covering the period November 2023 to October 2025.
It revealed that total recorded incidents increased 63%, from 260 attacks between November 2023-October 2024 to 425 in the period November 2024-October 2025.
Across 67 countries, data breaches rose by 73%, hacktivist activity increased by 75% and ransomware went up by 21%.
Read more on education sector threats: 73% of UK Education Sector Hit by Cyber-Attacks in Past Five Years.
The threats come from various sources. Universities in particular face nation-state efforts to steal high-value research materials, especially in AI, quantum computing and advanced materials, Quorum Cyber claimed.
They’re also facing hacktivist-related DDoS attacks, defacement and data-leak threats, including a ramping up of activity from Iranian threat actors, the report noted.
Infostealer malware and financially motivated ransomware were a persistent threat over the period, with FunkSec (23%), Cl0p (10%), INC (10%) and Nova (10%) the most prolific groups.
Tackling the Threat to the Education Sector
Quorum Cyber recommended the following mitigation measures for education institutions:
- Intelligence-led vulnerability management: using up-to-date information to prioritize vulnerabilities for patching
- Dark web monitoring: early warning for leaked credentials and third-party breaches
- Robust backups: three copies of all critical data on two devices with one stored offline in a separate location
- Incident response exercises: regular tabletop exercises to ensure plans and playbooks are fit for purpose and well understood
- Password management: strong unique passwords for all accounts, stored in a password manager
- Social engineering policies: helpdesk hardening, user awareness training, phishing-resistant MFA and enforced principle of least privilege
Ambrose Neville, head of information security at Queen Mary University of London, said his team have observed attacks designed to interrupt teaching, research and day-to-day operations.
“The challenge for the sector is that openness and collaboration is fundamental to how higher education institutions operate,” he added,
“This makes it more challenging to simply lock systems away, in the way that some other industries may be able to. As a result, we prioritize security resilience. It’s critical to know where you’re exposed, spot threats early and respond quickly before incidents escalate.”
