UK Survey: 91% of Universities and 43% of Businesses Hit by Cyberattacks in the Past Year
Education stands out as the most frequently targeted sector; DSIT’s 2025 Breaches Survey shows persistent exposure
.png)
London, UK – October 6, 2025 (Updated 16/10/2025) — A new UK government study highlights the scale of cyber risk across the economy and the education sector. While 43% of businesses reported a breach or attack, exposure in education was markedly higher: 91% of universities, 85% of further-education colleges, 60% of secondary schools, and 44% of primary schools identified incidents in the past year.
The figures come from the Department for Science, Innovation & Technology’s Cyber Security Breaches Survey 2025, with fieldwork conducted August–December 2024. The education annex details sample sizes (250 primary, 240 secondary, 52 colleges, 32 universities) and notes elevated rates of impersonation, malware, and DoS in colleges and universities versus businesses.
Independent coverage framed the implications beyond individual victims, pointing to high-profile cases (e.g., Jaguar Land Rover) and knock-on effects across suppliers. Some reports extrapolate that the prevalence rates imply ~612,000 businesses and ~61,000 charities affected, though these are estimates rather than official counts.
English-speaking, mostly teenage hackers have been leasing ransomware from Russian-speaking groups.
noted one expert cited by the BBC, describing a shift in attacker profiles this year.
Key findings
- Prevalence (past 12 months): HE 91%, FE colleges 85%, secondary 60%, primary 44%, businesses 43%.
- Sample sizes & method: 2,179 businesses; education samples above; quantitative survey Aug–Dec 2024.
- Attack mix: Colleges/universities reported higher rates of impersonation (68%), malware (42%), and DoS (36%) than businesses overall.
- Context: Media coverage emphasizes ripple effects from major incidents across supply chains and local economies.
What it means
The data show a persistent baseline of attacks on UK organizations, with education disproportionately targeted. For enterprises and public institutions alike, the takeaway is to maintain phishing defenses, practice incident response, and harden identity controls—especially where student/staff churn and sprawling endpoints increase risk.
