School Cyberattacks Plague Start of 2025 Academic Year
Major incidents force closures across multiple districts as cybercriminals target education sector
The 2025 academic year has begun with an alarming wave of cyberattacks targeting school districts across the United States, forcing multiple institutions to close their doors and scramble to protect sensitive student and staff data. At least three major incidents have been reported since the beginning of September, highlighting the growing vulnerability of educational institutions to ransomware and cyber threats.
Education Security ExpertsSouth Lyon Community Schools: Three-Day Shutdown
The most recent incident struck the South Lyon Community School District in Michigan, which has remained closed for three consecutive days after detecting a "network security incident" on Sunday, September 14, 2025. The attack has affected the district's 8,400 students across 12 schools plus an Early Childhood Center, spanning 83 square miles across Oakland, Washtenaw, and Livingston counties.
Superintendent Steve Archibald confirmed that "portions of our network remain shut down as a result of the incident" and that the district is "working closely with external cybersecurity experts to investigate and restore the data." The attack has crippled essential systems including phones, network communications, and other critical infrastructure necessary for safe school operations.
Parents have expressed frustration with the lack of detailed information about the incident. Jennifer Lukas, a parent in the district, told local media: "We're a little concerned, and we're all questioning it." The district has indicated that restoration efforts "may take a few days before full functionality can be restored."
Uvalde CISD: Entire Week Canceled Due to Ransomware
On September 14, 2025, the Uvalde Consolidated Independent School District in Texas announced it would cancel classes for the entire week following a ransomware attack that "severely" affected the district systems that control the phones, AC controls, camera monitoring, visitor management and more.
The attack has been particularly devastating for the district, located 80 miles west of San Antonio, affecting not only educational operations but also critical safety and security systems. The attack also took out the district's payroll system, affecting bus drivers, maintenance staff and custodians. Officials said paychecks could possibly be delayed.
Anne Marie Espinoza, the district's communications chief, confirmed that "A comprehensive investigation is underway to uncover the source of the malware and assess whether any sensitive information has been compromised." The FBI and other federal agencies have been notified of the incident.
Breached Company
Broader Cybersecurity Crisis in Education
These incidents are part of a larger trend affecting educational institutions nationwide. According to recent data, ransomware incidents across the education sector increased 23% year-over-year in the first half of 2025, with roughly 130 confirmed or suspected attacks and average ransom demands near US $556k.
The timing of these attacks is particularly concerning, as cybercriminals often target the beginning of school years when disruption is most damaging to students, families, and educators. Attack campaigns intensify around the start of school terms when disruption is most damaging.
The Financial and Educational Impact
The cost of these attacks extends far beyond the immediate disruption. Recovery costs for ransomware incidents are rising. Sector studies reported mean remediation costs of about US $3.76 M for K-12 and US $4.02 M for higher education in 2024, including incident response, forensics, legal fees, credit monitoring and downtime.
Schools face unique challenges in defending against these attacks due to limited cybersecurity budgets and staff. Many districts rely on general IT personnel rather than dedicated cybersecurity professionals, making them attractive targets for cybercriminals who often operate with sophisticated ransomware-as-a-service operations.
Federal Response and Concerns
The surge in school cyberattacks comes at a time when federal cybersecurity resources for educational institutions are being reduced. The Trump administration has rolled back federal resources to prevent, and respond to, attacks. The administration also cut the K-12 cybersecurity programs provided through the Multi-State Information Sharing and Analysis Center, which works with government entities, including school districts, on responding to cyberattacks.
Additionally, the administration shuttered without explanation the Readiness and Emergency Management for Schools technical assistance center. The center told its affiliates it will shut down on Sept. 18—even after securing federal approval earlier this year to continue work through at least 2030 with $3 million in annual funding.
Breached Company
Common Vulnerabilities and Attack Vectors
Cybersecurity experts have identified several key vulnerabilities that make schools attractive targets:
Legacy Systems and Poor Patch Management: Many districts run out-of-date operating systems or end-of-life software. A 2025 UpGuard study discovered that 45% of universities had at least one asset running end-of-life PHP and that 48% used software with known exploited vulnerabilities.
Exposed Remote Access: UpGuard's analysis found that 10% of universities (23% among the top 500) exposed RDP services to the internet. The FBI estimates that 70–80% of ransomware infections are initiated via exposed RDP services.
Inadequate Access Controls: Many schools lack enforced multifactor authentication. Saviynt reported that 60–70% of breaches involve compromised credentials, emphasizing the need for privilege management and zero-standing privilege.
Student Hackers: An Emerging Threat
Adding to the complexity of the threat landscape, the UK's Information Commissioner's Office recently warned that 57% of incidents caused by students who were likely motivated by "dares, notoriety, financial gain, revenge and rivalries." The ICO identified "a worrying pattern" in the 215 insider threat breach reports from the education sector between January 2022 and August 2024.
Breached Company
The Path Forward
As school districts grapple with these mounting threats, cybersecurity experts emphasize the need for comprehensive security strategies that go beyond traditional IT approaches. The incidents in South Lyon and Uvalde demonstrate that modern cyberattacks can completely paralyze school operations, affecting not just educational activities but also basic safety and communication systems.
State policymakers are beginning to respond to the crisis. Lawmakers in these states have considered a total of 18 bills in 2025 that directly addressed K-12 cybersecurity. Of the 18 bills, seven had been enacted as of July, according to the report.
However, with schools facing budget constraints and the federal government reducing cybersecurity support, many districts are turning to taxpayers for funding. 5 INVESTIGATES analyzed data from the Minnesota School Board Association and found that of the top 20 school districts in the Twin Cities metro, 15 currently have capital projects levies in place to address safety and security upgrades.
Looking Ahead
As the 2025 school year continues, the recent attacks in South Lyon and Uvalde serve as stark reminders of the urgent need for improved cybersecurity in educational institutions. With ransomware groups specifically targeting the education sector and the frequency of attacks continuing to rise, school districts must balance the immediate need to protect their systems with the long-term goal of maintaining accessible, technology-enabled learning environments.
The coming weeks will be crucial in determining whether these incidents represent isolated attacks or the beginning of a sustained campaign against educational institutions as the academic year progresses.
