Higher Ed Cybersecurity Breach Report 2026: 251 Attacks, 3.96M Records

A factual analysis of ransomware, vendor-supply-chain cascades, academic medical center incidents, and the regulatory environment for U.S. colleges and universities.

Published by BlueRadius Cyber | May 2026 | All figures sourced and footnoted

Executive Summary

Higher education absorbed 251 ransomware attacks globally in 2025 with approximately 3.96 million records breached, an increase of roughly 27% in records breached over 2024 (3.11 million records).[1] U.S. higher education alone accounted for approximately 3.7 million of those records (compared with 175,000 for K-12).[1] Within 2024, Comparitech tracked 116 ransomware attacks on the education sector with an average ransom demand of $847,000 and approximately 1.8 million records exposed.[2] Attacks on education jumped 23% year-over-year in the first half of 2025, with Qilin, SafePay, Fog, Interlock, and INC ransomware groups responsible for the largest share of incidents.[1][3]

This report compiles publicly verifiable data on the largest higher education and academic medical center breaches disclosed between 2023 and early 2026, the regulatory environment shaping how universities must respond, and the supply-chain cascades (MOVEit, Citrix Bleed, Oracle Health, Oracle E-Business Suite) that have produced the bulk of seven-figure-record incidents in this window. Every statistic is sourced and footnoted. The picture for university CISOs is consistent: ransomware volume in absolute terms is high but moderating, while the per-incident scale is increasing, driven primarily by upstream vendor compromises that exfiltrate data from hundreds of institutions in a single campaign.

Key Findings

251 ransomware attacks on the education sector globally in 2025, with approximately 3.96 million records breached, up from 3.11 million in 2024.[1]
116 ransomware attacks on education in 2024, down from 188 in 2023 (Comparitech), with approximately 1.8 million records exposed and an average ransom demand of $847,000.[2]
3,489,274 individuals affected by the University of Phoenix breach disclosed December 22, 2025, traced to the CL0P exploitation of the Oracle E-Business Suite zero-day CVE-2025-61882. One of the largest single university-affiliated disclosures on record.[4]
800,000 individuals affected at the University System of Georgia via the MOVEit / Progress Software CL0P campaign, notified in April 2024.[5]
Approximately 900 U.S. colleges and universities were impacted by the MOVEit breach through their relationship with the National Student Clearinghouse, which serves 3,500+ U.S. higher-ed institutions.[6][7]
2.1 million Fred Hutchinson Cancer Center and UW Medicine patients were affected by the November 2023 Hunters International ransomware intrusion that exploited Citrix Bleed (CVE-2023-4966). The cost of remediation and settlement exceeded $52 million combined.[8][9]
827,149 City of Hope National Medical Center patients were affected by an October 2023 incident, with a subsequent $8.5 million class-action settlement.[10][11]
27,000 individuals affected at Stanford University from a May to September 2023 Akira ransomware intrusion targeting the Department of Public Safety network. Approximately 430 GB was exfiltrated.[12]
~230,000 University of Michigan students and employees were affected by an August 2023 intrusion disclosed in October 2023, with Social Security numbers, payment cards, and health information among the exposed data.[13]
FTC Safeguards Rule 30-day breach notification took effect May 13, 2024, requiring covered higher-ed institutions to notify the FTC of any breach affecting 500 or more consumers.[14]
CMMC 2.0 Phase II takes effect December 16, 2025, with the Department of Defense investing more than $6 billion per year in university research subject to the rule.[15][16]

Bottom line: The dominant breach pattern in higher education for 2024 and 2025 is not direct ransomware against a single university; it is a vendor or supply-chain compromise that propagates to hundreds of institutions at once (MOVEit, Oracle Health, Oracle E-Business Suite, Citrix Bleed). The regulatory environment has tightened materially in the same window, with the FTC Safeguards Rule's 30-day notification deadline in force since May 2024 and CMMC 2.0 Phase II in force as of December 2025. University CISOs and the boards of trustees they report to should treat third-party data inventories, contractual breach-notification clauses, and rehearsed incident response under a 30-day federal clock as foundational rather than discretionary.

The 2024-2025 Education Ransomware Landscape

Comparitech maintains the most-cited public tracker of education-sector ransomware in the United States. Its annual roundup is widely referenced by Inside Higher Ed, Higher Ed Dive, K-12 Dive, EDUCAUSE Review, and the cybersecurity trade press.[1][2]

2024 in Context

Comparitech tracked 116 ransomware attacks on the U.S. education sector in 2024, down from 188 in 2023. Approximately 1.8 million records were exposed and the average ransom demand was approximately $847,000.[2] The decline in attack count year-over-year was offset by the rise of upstream vendor compromise as the dominant breach vector: a single MOVEit-style cascade can deliver more victims than dozens of direct intrusions.

2025: Year-Over-Year Acceleration

Comparitech's 2025 roundup tracked 251 ransomware attacks on education globally with approximately 3.96 million records breached, up from 3.11 million in 2024.[1] Within the U.S., higher education accounted for the bulk of records (approximately 3.7 million versus 175,000 for K-12).[1] The first half of 2025 alone saw a 23% year-over-year increase in attacks on the education sector.[3] The most active ransomware groups against education in 2025 were Qilin (37 attacks), SafePay (23), Fog and Interlock (18 each), and INC (17).[1]

The Vendor-Supply-Chain Cascade

Four distinct upstream compromises produced the majority of the largest 2024-2025 higher-ed disclosures by affected-individual count.

MOVEit (Progress Software, May 2023 onward)

Between May 28 and May 31, 2023 the CL0P ransomware group exploited a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer file-transfer product. The CL0P campaign ultimately affected 2,600 or more organizations and approximately 77 million individuals globally.[17] In the U.S. higher education sector specifically, approximately 900 colleges and universities were impacted through their relationship with the National Student Clearinghouse, which uses MOVEit and serves 3,500+ U.S. higher-ed institutions.[6][7] Direct National Student Clearinghouse notifications totaled 51,689 individuals.[18] Confirmed institutional victims included the University System of Georgia (800,000 individuals), Johns Hopkins, University of Missouri, University of Rochester, Southern Illinois University, Cornell University, multiple California State University campuses, SUNY Cortland, and CUNY Hunter.[5][6]

Citrix Bleed (CVE-2023-4966, October 2023)

The Citrix NetScaler ADC and Gateway vulnerability disclosed October 10, 2023 with a CVSS base score of 9.4 was actively exploited as a zero-day since late August 2023. The Hunters International ransomware group used Citrix Bleed to compromise Fred Hutchinson Cancer Center and its UW Medicine integrated clinical partner, exposing protected health information on approximately 2.1 million patients in an intrusion that ran from November 19 to November 25, 2023.[8][19] Fred Hutchinson disclosed the incident on December 6, 2023; the cost of remediation, settlement, and additional cybersecurity investment exceeded $52 million.[9]

Oracle Health (Cerner, January 2025)

The Oracle Health (formerly Cerner) January 2025 incident impacted multiple downstream healthcare provider customers, each reporting to HHS OCR separately. AdventHealth was among the named affected entities, with patient notifications beginning in December 2025.[20] Multiple academic medical center customers of Oracle Health were also affected through this cascade.

Oracle E-Business Suite (CVE-2025-61882, late 2025)

The CL0P group's October 2025 exploitation of Oracle E-Business Suite zero-day CVE-2025-61882 was the entry vector for the December 22, 2025 University of Phoenix disclosure affecting 3,489,274 individuals.[4] The University of Phoenix incident is one of the largest single university-affiliated disclosures on record and illustrates that even years after MOVEit, upstream vendor compromise remains the dominant pattern.

Major University Disclosures (2023-2025)

University of Phoenix (Disclosed December 2025): 3.5 Million Individuals

The University of Phoenix disclosed on December 22, 2025 a breach affecting 3,489,274 individuals, traced to the CL0P exploitation of Oracle E-Business Suite CVE-2025-61882.[4] Affected data included names, Social Security numbers, dates of birth, financial account information, and educational records.

University System of Georgia (Notified April 2024): 800,000 Individuals

The University System of Georgia notified 800,000 individuals in April 2024 of a MOVEit-related breach. Affected data included names, Social Security numbers, dates of birth, federal tax information, and bank account numbers for current and former students, employees, and dependents.[5]

University of Michigan (Disclosed October 2023): ~230,000 Individuals

Following an August 2023 unauthorized access event, the University of Michigan disclosed in October 2023 that approximately 230,000 students and employees had data exposed including Social Security numbers, driver's license numbers, payment card information, health information, and university account credentials.[13]

Stanford University (Disclosed October 2023): 27,000 Individuals

Akira ransomware compromised Stanford's Department of Public Safety network between May 12 and September 27, 2023. Approximately 430 GB of data was exfiltrated, affecting roughly 27,000 individuals.[12]

Academic Medical Centers

Academic medical centers sit at the intersection of HIPAA, FERPA, research-data governance, and federal grant compliance. The dominant breach pattern in this sub-sector is double-extortion ransomware exploiting the same vendor weaknesses that affect general healthcare providers.

Fred Hutchinson Cancer Center and UW Medicine (November 2023): 2.1 Million Patients

Hunters International exploited Citrix Bleed to gain access between November 19 and November 25, 2023, exposing protected health information for approximately 2.1 million patients. The intrusion was distinguished by a direct-to-patient extortion model in which individual patients received personalized emails demanding $50 in cryptocurrency. Combined remediation, settlement, and additional cybersecurity investment exceeded $52 million, including approximately $11.5 million in patient settlement and a separate $13.5 million cybersecurity investment commitment.[8][9][19]

City of Hope National Medical Center (Disclosed October 2023): 827,149 Individuals

City of Hope, the National Comprehensive Cancer Center headquartered in Duarte, California, disclosed an unauthorized access incident affecting 827,149 individuals between September 19 and October 12, 2023, with a subsequent $8.5 million class-action settlement.[10][11]

Howard University College of Dentistry (September 2021): 81,000 Patients

A September 2021 ransomware intrusion at the Howard University College of Dentistry affected approximately 81,000 patient records. The Howard University incident is included here because it illustrates that university academic medical and dental facilities are valid HIPAA-covered entities subject to the same OCR enforcement regime as standalone healthcare providers.[21]

The Regulatory Environment for Higher Education

FERPA (Family Educational Rights and Privacy Act)

FERPA, codified at 20 U.S.C. 1232g, does not require breach notification to students. The penalty for FERPA violations is loss of federal Department of Education funding; the Family Policy Compliance Office investigates and enforces under 34 CFR 99.64(b).[22][23] In practice this means a university with a FERPA-relevant data breach faces no direct individual notification obligation under FERPA itself, but may face notification obligations under state breach notification laws, HIPAA (for any academic medical center data), or the FTC Safeguards Rule (for GLBA-covered student financial aid data).

Gramm-Leach-Bliley Act (GLBA) Safeguards Rule

Title IV-eligible institutions (those participating in federal student financial aid programs) are subject to the GLBA Safeguards Rule, which the Department of Education enforces via the Program Participation Agreement. The updated Safeguards Rule took effect June 9, 2023 and imposes nine specific controls including written information security programs, multi-factor authentication, encryption of customer information, regular risk assessments, and qualified-individual oversight.[15] Non-compliance can trigger a ban from Title IV participation or fines of up to $100,000 per violation.[15]

FTC Safeguards Rule Breach Notification (Effective May 13, 2024)

The FTC amended the Safeguards Rule to require 30-day breach notification to the FTC for any breach affecting 500 or more consumers. The notification requirement took effect May 13, 2024.[14] Covered higher-ed institutions are those that fall under the Department of Education's GLBA application, which is most Title IV-eligible institutions.

CMMC 2.0 Phase II (Effective December 16, 2025)

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) 2.0 Phase II became effective December 16, 2025. The DoD invests more than $6 billion per year in university research, and any institution holding Controlled Unclassified Information (CUI) tied to DoD contracts is now subject to CMMC Phase II requirements.[16][24] The DFARS rule integrating CMMC requirements into solicitations was published in November 2025.[24]

The PowerSchool and K-12 Context

Although this report focuses on higher education, the K-12 environment provides important framing for university CISOs because of shared vendors and pipeline considerations.

In January 2025 the threat actor behind a PowerSchool intrusion claimed to have stolen data on 62.4 million students and 9.5 million teachers. PowerSchool, which serves more than 18,000 North American K-12 schools, did not confirm the figure.[25] The K12 SIX K-12 Cyber Incident Map remains the most complete public resource for K-12 incidents and is recognized as such by the Government Accountability Office.[26]

What This Means for University CISOs and Boards of Trustees

Four implications follow directly from the data above.

1. Vendor compromise is the dominant breach vector. MOVEit, Citrix Bleed, Oracle Health, and Oracle E-Business Suite together account for the bulk of the largest 2024-2025 higher-ed disclosures by affected-individual count. Universities should maintain a continuously updated third-party data inventory, contractually require breach notification within 72 hours from upstream vendors, and run tabletop exercises specifically on supply-chain cascade scenarios.

2. Identity is the second dominant attack surface. The Stanford Akira, University of Michigan, and most of the direct (non-cascade) ransomware incidents in this dataset involved compromised identity infrastructure. Phishing-resistant multi-factor authentication, conditional access, privileged access workstations for IT staff, and continuous session validation should be table stakes.

3. The 30-day FTC notification clock changes incident response economics. Many higher-ed incident response plans were designed around state breach notification windows (often 30-60 days) or HIPAA's 60-day clock for academic medical centers. The FTC Safeguards Rule notification adds an additional concurrent clock that runs from breach discovery, not from confirmation of scope. Plans should be tested under the tighter window.

4. CMMC 2.0 Phase II is a compliance gate for federal research funding. Universities holding DoD CUI on research contracts now operate under CMMC Phase II requirements. Internal CMMC governance is not optional, and the cost of remediation is significantly less than the cost of disqualification from CUI-eligible solicitations.

Frequently Asked Questions

How many ransomware attacks did the education sector experience in 2025?

Comparitech tracked 251 ransomware attacks on education globally in 2025 with approximately 3.96 million records breached, up from 3.11 million records in 2024.[1]

What was the largest university breach disclosed in 2025?

The University of Phoenix disclosed a breach affecting 3,489,274 individuals on December 22, 2025, traced to CL0P's exploitation of Oracle E-Business Suite zero-day CVE-2025-61882.[4]

How many universities were affected by the MOVEit breach?

Approximately 900 U.S. colleges and universities were affected by the MOVEit breach through their relationship with the National Student Clearinghouse, which serves 3,500+ U.S. higher-ed institutions.[6][7]

Does FERPA require breach notification?

No. FERPA does not require breach notification to students. The penalty for FERPA violations is loss of federal Department of Education funding, enforced by the Family Policy Compliance Office under 34 CFR 99.64(b).[22][23]

When did the FTC Safeguards Rule breach notification take effect?

May 13, 2024. The amended rule requires Title IV-eligible higher-ed institutions and other GLBA-covered entities to notify the FTC within 30 days of a breach affecting 500 or more consumers.[14]

What is CMMC 2.0 Phase II and when does it take effect?

CMMC 2.0 Phase II is the Department of Defense's tiered cybersecurity certification program for contractors handling Controlled Unclassified Information. Phase II takes effect December 16, 2025. The DoD invests more than $6 billion per year in university research subject to the rule.[15][16][24]

Engage a vCISO to Operationalize These Findings

The breach patterns documented above (vendor compromise, identity-infrastructure exploitation, ransomware double-extortion) are not solved by adding more security tools. They are addressed by a security program with clear leadership accountability for vendor risk, identity controls, and tested incident response. For mid-market organizations that do not have a full-time CISO, a fractional or virtual CISO arrangement provides this leadership at a fraction of the cost of a senior hire. BlueRadius's virtual CISO services embed a senior security leader into the organization to translate threat data of the kind in this report into board-defensible programs, with explicit accountability for vendor risk reviews, identity hardening, and rehearsed breach response under the relevant 30-day notification clock.

BlueRadius Research Library

Sourced research reports across the BlueRadius cybersecurity catalog. Every report below is footnoted to primary or established secondary sources, and each tracks a different slice of the threat and regulatory landscape facing mid-market organizations.

Sources

[1] Comparitech, "Education Ransomware Roundup 2025: Stats on Attacks, Ransoms and Data Breaches." comparitech.com.

[2] Comparitech 2024 education ransomware data via K-12 Dive, "Education ransomware attacks in 2024." k12dive.com.

[3] Higher Ed Dive, "Ransomware attacks on education jump 23% in H1 2025." highereddive.com.

[4] SecurityWeek, "3.5 Million Affected by University of Phoenix Data Breach." securityweek.com.

[5] BleepingComputer, "University System of Georgia: 800K Exposed in 2023 MOVEit Attack." bleepingcomputer.com.

[6] Higher Ed Dive, "MOVEit breach: 900 colleges and universities impacted." highereddive.com.

[7] SecurityWeek, "900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse." securityweek.com.

[8] HIPAA Journal, "Fred Hutchinson Cancer Center Data Breach Settlement." hipaajournal.com.

[9] The Register, "Fred Hutch commits $52.5M for breach settlement and security upgrades." theregister.com.

[10] HIPAA Journal, "City of Hope Cyberattack Affects 827,000 Individuals." hipaajournal.com.

[11] SecurityWeek, "US Cancer Center Data Breach Impacting 800,000." securityweek.com.

[12] BleepingComputer, "Stanford: Data of 27,000 people stolen in September ransomware attack." bleepingcomputer.com.

[13] BleepingComputer, "University of Michigan employee, student data stolen in cyberattack." bleepingcomputer.com.

[14] Federal Trade Commission, "Safeguards Rule notification requirement now in effect." ftc.gov.

[15] U.S. Department of Education Federal Student Aid Knowledge Center, "Updates to Gramm-Leach-Bliley Act Cybersecurity Requirements." fsapartners.ed.gov.

[16] Campus Technology, "Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education." campustechnology.com.

[17] TechCrunch, "The biggest data breaches of 2025 so far," covering the cumulative MOVEit / CL0P impact. techcrunch.com.

[18] Top Class Actions, "National Student Clearinghouse $9.95M Data Breach Class Action Settlement." topclassactions.com.

[19] BleepingComputer, "Ransomware gang behind threats to Fred Hutch cancer patients." bleepingcomputer.com.

[20] Becker's Hospital Review, "Oracle Health data breach ensnares AdventHealth." beckershospitalreview.com.

[21] HIPAA Journal, "Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients." hipaajournal.com.

[22] Zwillgen, "Breach Notification for Colleges and Universities," summarizing FERPA, GLBA, and state notification requirements applicable to higher-ed institutions. zwillgen.com.

[23] National Center for Education Statistics, FERPA Section 6 FAQ. nces.ed.gov.

[24] EDUCAUSE Review, "DFARS Changes to Integrate CMMC Requirements Effective November 10." er.educause.edu.

[25] BleepingComputer, "PowerSchool hacker claims they stole data of 62 million students." bleepingcomputer.com.

[26] K12 SIX, "The State of K-12 Cybersecurity Report." k12six.org.

Higher Education Cybersecurity Breach Report 2026: 251 Ransomware Attacks, 3.96M Records Breached