Why Does the Education Sector Need Cyber Crisis Tabletop Exercises?

Date: 17 June 2024

Featured Image

If you so much as glance at our monthly compilation of cyber attacks, ransomware attacks and data breaches, you’ll note one overwhelming fact. There’s one industry that’s never missing from the list of those targeted by cyber crime. And that’s the education sector.  

This fact pretty much answers the question we ask in the title - Why do Educational Institutions need Cyber Attack Tabletop Exercises?

But the question, definitely, begs a more in-depth look at the urgency of cyber drills and enhanced cyber protection for educational institutions. And that’s exactly what we’re going to do through this blog. We'll also show you how to conduct effective cyber drills for your institution. 

Additionally, You’ll find an exhaustive compilation of recent cyber attacks on Educational Institutions at the end of this blog. This list is meant to offer you a refreshed perspective on just how rampant cyber crime in the domain of education really is. It also offers a retrospective glance at the tactics and techniques of threat actors who regularly target this sector. 

Further, understanding recent attacks in your industry can give you a good idea of the Incident Response strategies employed by your peers. You can then evaluate, with your team, what you thought worked well, what could have been done differently. The sum of these lessons learned can then be leveraged to improve, review and refresh your own cyber incident response plans.   

New call-to-action

Topics Covered: 

  1. Why do Hackers Target Educational Institutions?
  2. How to Tailor Cyber Drills for this Industry? 
  3. Top Cyber Tabletop Exercise Scenarios for the Education Sector
  4. Major Cyber Attacks on Academic Institutions 2023-2024

What Makes the Education Sector a Prime Target for Cyber Crime? 

Before we delve into the best ways to curate effective Cyber Tabletop Exercises for the Education Sector, let’s look at what makes this industry such an attractive target for cyber criminals. 

There’s a host of reasons why rookie hackers to expert ransomware gangs continue to attack schools, universities and other educational institutions. In our opinion, these are the three main ones:  

  • Wealth of Data: If it’s sensitive information a hacker is after, there’s tonnes of it in an educational institution. From personal data of students, alumni, staff to financial records of payments made by parents, health information on allergies and medications etc., schools and colleges often hold vast troves of information that can be exploited. 

    Apart from the shock value of leaking sensitive data of children and minors (which cyber criminals love), this data can also be used for financial fraud, identity theft and many similar malicious activities. 

    Institutions of learning also offer cyber criminals a large attack surface, especially since the COVID-19 pandemic. Extensive use of online learning platforms, remote access tools and use of personal devices for school work etc., all increase the entry points for attackers into an educational institute’s network.
  • Low-hanging fruit: This is an unfortunate, general truth about the education sector - cybersecurity awareness and sophisticated security measures run low in supply. Most educational institutions will typically have lower budgets for IT infrastructure and cybersecurity controls compared with large government bodies or multinational organisations. This makes it much easier for cyber criminals to breach defences, infiltrate their systems and compromise data. 

    The high user turnover at educational institutions makes matters worse. With students graduating each year and new ones taking their places and a significant churn in teaching staff too, it’s difficult to keep a tight control on security protocols. 

  • Disruption and Theft of Intellectual Property: Like we said before, hackers love drama. A cyber attack at an academic institution leads to significant disruption and chaos. Classes can be disrupted, research work may be brought to a hold, important events may have to be cancelled.

    Such disruptions may often put pressure on the institution of learning to negotiate with the attacker. One of the most compelling reasons for attacking universities and specialised learning institutions often is intellectual property theft. Advanced educational facilities will often have students working on cutting-edge technologies and confidential research projects.

    Cybercriminals, including state-sponsored actors, may target these institutions to steal research data or intellectual property for competitive or geopolitical advantages.

Given the above reasons, it’s clear that institutions of learning can be very lucrative and easy-to-breach targets for cyber attackers. And this is precisely why entities in this sector require regular Cyber Attack Tabletop Exercises. 

Back To the Top

New call-to-action

Tailoring Cyber Attack Tabletop Exercises for the Education Sector 

Cyber Crisis Tabletop Exercises have to be sector-specific and extremely relevant no matter the industry. However, for the education sector, the cyber drill must be even more nuanced.  

One has to keep in mind that the data that may be exposed in a cyber attack in this industry can be highly sensitive as it will belong to minors in many cases. Further, attacks on institutions of learning can disrupt classes, teaching and research, directly impacting the academic and even career progression of many students. 

The Cyber Tabletop Exercise has to take into consideration the fact that many people in-charge of responding to the attack or managing crisis communications may be entirely non-technical. Therefore, the cyber drill scenario must speak to them and elicit the right responses. 

Collaboration is key for any cyber exercise but particularly so for one in the education space. When done correctly, cyber tabletop exercises can massively improve communication and coordination among different departments and stakeholders during a cyber incident. This collaboration is critical for an effective and timely response to cyber threats. 

Such collaboration also results in a better cybersecurity culture for the entire institution. Once teachers and administrators understand the current cyber threat landscape and enforce better cybersecurity practices, the effect trickles down to all students using institutional or personal devices. 

In the next section, we look at some of the top Cyber Crisis Tabletop Exercise Scenarios that educational institutions must focus on.  

Back To the Top

New call-to-action

Cyber Tabletop Exercise Scenarios for the Education Sector

The key to a successful Cyber Attack Tabletop Exercise is the scenario it is based on. The scenario must be curated specifically for your business and industry. 

In the case of Cyber Drills for the Education sector, here are a couple of scenarios we always recommend our clients rehearse. These cyber attack scenarios are not only relevant for academic institutions but are also the ones that occur most commonly in this sector based on historical data. 

  • Phishing Campaign: Very often, an attack on a school or university begins with a phishing email. Like we discussed earlier, cybersecurity awareness levels can often be lower in this industry. Therefore, an unsuspecting member of the staff or even a student, might click on a suspicious email attachment or link. This can jeopardise the entire institution’s network. A phishing campaign can also compromise user credentials or unsecured passwords. 

    While rehearsing this scenario, make sure there is adequate discussion about cybersecurity hygiene and the importance of using 2FA and strong passwords. 

  • Ransomware Attack: Simulating a ransomware attack would typically involve critical data being encrypted. This would be followed by the attacker demanding payment for decryption. A ransomware attack can also bring the online systems of the institution to a halt, potentially disrupting teaching, research work, administrative tasks etc. 

    Focus on how your educational institution will deal with this disruption while simultaneously containing the situation. Who will lead communication with stakeholders, parents and students? And always remember, it’s never ever recommended to negotiate with ransomware attackers. There’s no honour amongst thieves in the world of cyber crime.   

  • Data Breach: A data breach scenario is straightforward - sensitive student and staff information is compromised. Now you need to practise for identifying the breach and notifying affected individuals and the appropriate authorities. It is also imperative to deliberate over measures that can be implemented at your institution to prevent such incidents from actually occurring.

Cyber Tabletop Exercises created using the above scenarios will give you a clear picture of your cyber resilience. How prepared are you for an actual attack? Do you have an effective Cyber Incident Response Plan? What is the level of coordination and collaboration amongst the different departments? Do you have necessary security measures in place to prevent rudimentary ransomware attacks and phishing attacks? 

In the next section, we look at major attacks on educational institutions in the recent past. This list, too, will give you a historical overview of the most common tactics and techniques used by cyber criminals in your industry and how your peers mitigated the damage (or not).

Back To the Top

New call-to-action

Recent Cyber Attacks on Educational Institutions 2023-2024 

Event Date

Educational Institute


Threat Actor



May 29, 2024

North American University

Free Piano phish targets American university students, staff


A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they're about to receive a baby grand piano for free.

North American University Phishing Attack

May 08, 2024

University System of Georgia

University System of Georgia Says 800,000 Impacted by MOVEit Hack

Clop Ransomware (Under MOVEit)

University System of Georgia notified 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack.

University System of Georgia Impacted by MOVEit Hack

April 04, 2024

University of Winnipeg

Thousands of staff, students have sensitive data stolen in University of Winnipeg hack


The University of Winnipeg in Canada has confirmed that hackers stole sensitive information from the institution in an incident that took place in late March, affecting former and current students and staff.

University of Winnipeg Data Breach

February 20, 2024

Prince George’s County Public Schools (PGCPS)

DC-area school system says data of 100,000 people affected in ransomware attack


Prince George’s County Public Schools in the Washington, D.C., suburbs said the personal information of nearly 100,000 people was breached by a ransomware gang right before classes started in the fall. According to a regulatory filing, the district school determined that “personal information was included in the potentially impacted data set.”

PGCPS Data Breach

January 18, 2024

Kansas State University

Kansas State University says cyber attack disrupted IT network and services


Kansas State University (K-State) announced it was managing a cybersecurity incident that has disrupted certain network systems, including VPN, K-State emails, and video services on Canvas and Mediasite.

Kansas State University Cyber Attack

November 1, 2023

California community college Río Hondo

California community college Río Hondo deals with a cybersecurity incident.

LockBit Ransomware

Río Hondo College in Southern California is dealing with a cybersecurity incident that limited campus functions for days before most services were returned. The school did not identify the disruptions as related to cyber attacks, but the LockBit ransomware gang added the school to its list of victims, giving officials until November 20 to pay an undisclosed ransom.

California Community College Ransomware Attack

October 27, 2023

Stanford University

Stanford University is investigating a cyber attack after ransomware claims

Akira ransomware gang

The ransomware gang claimed it attacked Stanford University and stole 430 gigabytes of data.

Stanford University Ransomware Attack

October 23, 2023

University of Michigan

University of Michigan employee, student data stolen in cyber attack


The University of Michigan said in a statement that they suffered a data breach after hackers broke into their network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.

University of Michigan Data Breach

September 3, 2023

University of Sydney

University of Sydney data breach impacts recent applicants


In the data breach announcement, the university said that incident had a limited impact and the preliminary investigation found no evidence that local students, staff, or alumni have been impacted.

University of Sydney Data Breach

June 9, 2023

University of Manchester

University of Manchester says hackers ‘likely’ stole data in cyber attack


University confirmed that some of its systems had been accessed by an unauthorised party and data may have likely been copied.

University of Manchester Data Breach

May 10, 2023

Bristol Community College

Bristol Community College suffers data breach, thousands affected


Bristol Community College has disclosed a data breach that compromised more than 50,000 Social Security numbers.

Bristol Community College Data Breach

May 03, 2023

Bluefield University

Ransomware gang hijacks university alert system to issue threats

Avos ransomware

The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released. The University disclosed to students and staff that they had suffered a  that impacted the IT systems, causing all examinations to be postponed.

Bluefield University Ransomware Attack

April 06, 2023

Open University of Cyprus

Medusa ransomware claims attack on Open University of Cyprus

Medusa ransomware

The Medusa ransomware gang claimed a cyberattack on the Open University of Cyprus (OUC), which caused severe disruptions to operations. The ransomware group posted OUC on its data leak site, giving the institute 14 days to respond to its ransom demands. The hackers asked for $100,000. The threat group set the same price for both deleting the data as well as for selling it to an interested party. 

Open University of Cyprus Ransomware Attack

February 01, 2023

Morgan Hill Unified School District

Morgan Hill Unified School District discloses data breach


Morgan Hill Unified School District in California has disclosed a breach that occurred when an employee’s email account was accessed without authorization between September 11 and October 11, 2022.

Morgan Hill Unified School District Data Breach

January 30, 2023

TUSD School District

Cybersecurity incident shuts down TUSD internet, network services


A cybersecurity incident on Tucson Unified School District’s technology network shut down the district’s internet and network services

TUSD School District Cyber Attack

January 26, 2023

Stratford University

Stratford University discloses ransomware attack. Multiple gangs take credit. 

REvil, Snatch Team, and Avos Locker

REvil’s attack had been disclosed by REvil back in April of 2022. Snatch Team added their attack to their own leak site on August 17, presumably before the attack Stratford reported as occurring August 26. On January 15, 2023, Snatch Team dumped more than 50 GB of files from the school on their leak site. And Avos Locker started leaking the school’s data on September 7.

Stratford University Data Breach

January 21, 2023

Instituto Federal Do Pará

Instituto Federal Do Pará Attack Claimed By BlackCat


The Instituto Federal Do Pará (IFPA), the public education institution in Brazil, was added to the leaks site of the AlphV (BlackCat) group on January 21 with a message saying, “The guys decided to ignore our ransom demands, so the data of their employees and students will be published and put up for sale”.

BlackCat’s proofpack consists of screenshots from a directory of folders but without any contents or files. Some of the folder names appear to be individuals’ names.

Instituto Federal Do Pará Ransomware Attack

January 20, 2023

LA Unified School District

LAUSD says Vice Society ransomware gang stole contractors’ SSNs

Vice Society

Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors' personal information, including Social Security Numbers (SSNs).

Los Angeles Unified School District Ransomware Attack

January 19, 2023

Maple Ridge - Pitt Meadows School District No.42

More than 19,000 records released in B.C. school district data breach


In a statement, School District 42 — which encompasses Maple Ridge and Pitt Meadows — said 19,126 records were publicly released in a breach that was first noticed in the afternoon of Jan. 17, 2023. The documents appear to have been uploaded to a popular hacker forum on Jan. 15. The records include first and last names, schools and departments, email addresses and students’ grades.

School District 42 Data Breach

January 13, 2023

Okanagan College in Kelowna, British Columbia

BC college warns students and staff of potential data breach


An "unrecognised external agent," forced the college IT team to shut down and disable network access across all of Okanagan College's campuses in Kelowna, Vernon, Penticton and Salmon Arm.

British Columbia School Data Breach

January 9, 2023

Oxford University

UK: Oxford University dating website for staff and students shut down after ‘huge data breach’


A dating website for Oxford University students has been accused of breaching student and staff privacy after revealing the name of everyone with a university email address.

Oxford University Dating Website Data Breach

January 9, 2023

16 schools across Hull and Yorkshire

Hackers demand £15 million ransom from Hull and Yorkshire schools after cyber attack


Teachers at 16 schools across Hull and Yorkshire were unable to use their computers after hackers demanded a £15 million ransom. All 15 schools in the Hope Sentamu Learning Trust, which includes Hull secondary school Archbishop Sentamu Academy, were affected by the cyber attack. Hymers College, an independent school in Hull that charges fees of £13,000 a year, was also hacked. 

Hull & Yorkshire Schools Cyber Attack 

January 9, 2023

Des Moines Public Schools

Des Moines Public Schools cancels classes after cybersecurity attack


Des Moines Public Schools cancelled all classes after officials took the district's internet and network offline following what they described as "unusual activity" that was later determined to be an apparent cybersecurity attack.

Des Moines Public Schools Cyber Attack 

January 4, 2023

Queensland University of Technology

Royal ransomware claims attack on Queensland University of Technology

Royal Ransomware

The Royal Ransomware gang has claimed responsibility for a recent cyber attack on the Queensland University of Technology and begun to leak data allegedly stolen during the security breach.

Queensland University of Technology Ransomware Attack

January 3, 2023

University of Miami Health System

University of Miami investigated a data breach


The University issued a public notice to inform its patients and others that a security incident affected a limited number of UHealth – University of Miami Health System patients.

University of Miami Health System Data Breach

January 2, 2023

Havana University

Cuban University Websites Hacked

Cuba Ransomware

Anonymous Cuba began the year by attacking the security of a number of Havana University faculties’ webpages, posting caricatures of Cuban leaders on them, as well as photographs showing scenes of repression and offensive messages against Cuban president Miguel Díaz-Canel, calling for the end to dictatorship.

Havana University Cyber Attack 

January 1, 2023

Bristol Community College

Bristol Community College's computer systems hacked in ransomware attack


“The college has discovered a network interruption issue impacting onsite internet and network functions including email, Teams, shared document sites and information systems, for students and employees,” college officials said.

Bristol Community College Cyber Attack


New call-to-action

Back to the Top

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422