August 31, 2023by Edan Cohen

Rogue Lessons: Threats to the Education Sector on the Dark Web

While most students return to school after a two-month summer break, cyber threats to the education industry are year round on the deep and dark web. Some threats challenge academic integrity, such as selling of fake academic credentials, online cheating and plagiarism, unauthorized access to learning materials, and homework or essay writing services. Other threats target institutions themselves, with ransomware and breaches of confidential student data occurring frequently. For example, in early 2023, passport scans of several UK schools began showing up on a ransomware group’s leaks site after the schools declined to pay the ransom. 

The number of attacks against the education sector has reportedly doubled from 2021 to 2022 according to Sophos’s “The State of Ransomware in Education 2023” report.  One of the more notable attacks includes the September 2022 incident targeting the second largest district in the United States, the Los Angeles Unified School District, which serves 1,300 schools and 640,000 students. Attackers allegedly stole over 500 GB of data and shared personally identifiable information (PII) on the dark web. During another ransomware incident targeting Bluefield University in April-May 2023, the attackers took over the institution's emergency broadcast system to send text and email alerts to students. The messages stated that 1.2 TB of files were exfiltrated and threatened that student data would be leaked on the dark web. 

What makes schools such an enticing target for cybercriminals? There are two main reasons: one, because they possess high-value data; and two, they are relatively vulnerable targets. Let’s break this down.

Personally Identifiable Information (PII)

Academic institutions store valuable PII, which can include relevant contact information, social security numbers, health and medical records, as well as financial information. This data can be utilized for identity theft, account takeover, financial fraud, as well as additional phishing activities to gain more sensitive information. Unauthorized access of students’ sensitive records could also result in violations to the Family Educational Rights and Privacy Act (FERPA), which could lead to legal ramifications and fines against schools that aren’t taking appropriate protective measures.  

Limited Resources

Many institutions have limited IT and cybersecurity resources, leaving them vulnerable due to inadequate training, outdated software, or inadequate security protocols. This is further compounded by an institution’s diverse population, including students, administrators, faculty, employees, and other external partners, who each have varying levels of cybersecurity awareness which increase potential entry points for threat actors. 

Open learning environments

Educational institutions typically foster the sharing and collaboration of information and resources. With this comes a reliance on third party software, such as e-learning management systems, video conferencing solutions, administrative software, and other third party dependencies that could introduce vulnerabilities if proper security measures aren’t put in place. This is especially true with the advance of remote learning and connectivity which has expanded the attack surface and introduced new potential entry points for attackers. 


Students tend to be more digitally active and may also engage in riskier online behaviors, which could lead to them falling victim to phishing attacks. There is already a familiarity with social media and online platforms which can lead to complacency when it comes to recognizing sophisticated phishing schemes. 

Intellectual property and research

Within universities and research institutions, groundbreaking research and valuable intellectual property often flourish, sometimes in collaboration with government entities. Consequently, the exposure of sensitive data to cybercriminals motivated by geopolitical considerations can translate into the exploitation of competitive advantages. These may further incentivize institutions to pay a ransom to avoid disruptions and regain access to data while still remaining a potential target. 

How can organizations protect themselves?

The two most common root causes of an attack are oftentimes compromised credentials and vulnerabilities. When it comes to compromised credentials, we can see the prevalence of stealer logs being sold and shared that include “.edu” domains. Comparing all of 2022 to just the first eight months of 2023, there has already been a ~46% increase in those references.

compromised endpoints with eduIn this context, there are various precautions that schools and institutions can take to mitigate these, which could help to address future attacks. These include but aren’t limited to:

  • Implement Multi-Factor Authorization (MFA) which can be cost effective

  • Enforce regular password rotations and utilize password managers to reduce sharing of passwords across platforms

  • Conduct cybersecurity training as an ongoing practice and not a one time procedure

  • Provide regular software updates and the installation of malware detection software

  • Review user accounts to remove inactive ones to further reduce the attack surface

  • Invest in dark web monitoring capabilities and comprehensive CTI solutions

Want to learn about the proactive measures you can take to protect your organization from malicious actors? Request a demo

You may also like

Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more
Two cybersecurity professionals looking at a laptop

May 01, 2024

State of the Underground 2024: Combating RisePro, Lumma, Vidar, and other top stealer malware

Read more
Manufacturing workers equipping themselves with threat intelligence

April 26, 2024

Gabi Reish speaks with about threat intelligence and ransomware attacks

Read more