In an era where smart classrooms and connected learning tools are transforming education, a new wave of cybersecurity threats is putting students’ and educators’ data at greater risk. According to the latest Zscaler ThreatLabz 2025 Mobile, IoT & OT Report, attacks on Internet of Things (IoT) devices in the education sector have skyrocketed by 861% year-over-year. While overall IoT malware activity shows signs of stabilization or decline globally, the education sector’s rapid adoption of connected devices—from interactive whiteboards to campus security cameras—has made it a prime target for cybercriminals. This surge not only disrupts operations but also amplifies privacy vulnerabilities, fueling a parallel rise in lawsuits and data breaches tied to edtech platforms.
The Alarming Rise of IoT Threats in Education
The Zscaler report highlights how the proliferation of IoT devices in schools and universities has expanded the attack surface dramatically. IoT malware, led by notorious botnets like Mirai (40% of attacks), Mozi, and Gafgyt, now accounts for 75% of malicious payloads targeting connected devices. Routers bear the brunt, facing over 75% of assaults via command injection vulnerabilities, while digital video recorders (DVRs), network video recorders (NVRs), and cameras are commonly hijacked for botnet expansion.
In the education sector, this translates to unprecedented growth: an 861% increase in IoT attacks, outpacing sectors like Energy/Utilities (459%) and Finance & Insurance (702%). The United States, absorbing 54.1% of global IoT threats, sees education institutions particularly vulnerable due to under-resourced IT teams and sprawling networks. Although total attack volumes may be waning as attackers pivot to more sophisticated methods, the education spike underscores a critical gap—unpatched devices enabling lateral movement that can lead to data exfiltration or ransomware lockdowns during peak learning hours.
“The convergence of mobile, IoT, and operational technology (OT) risks is reshaping threat landscapes,” the report notes, emphasizing how education’s non-industrial IoT growth—unlike manufacturing’s 20.2% share of attacks—creates blind spots in traditional defenses.
From IoT Vulnerabilities to Privacy Nightmares: The Breach Connection
IoT attacks don’t just halt classes; they often serve as entry points for broader privacy invasions. Compromised devices can expose sensitive student data, including personal identifiers, health records, and academic performance metrics, directly feeding into the edtech ecosystem’s privacy crises. In 2025, education has emerged as the most targeted sector, enduring 4,388 weekly cyberattacks per school on average—a trend exacerbated by unsecured IoT integrations and vendor dependencies.
Recent high-profile breaches illustrate this linkage. In a landmark settlement announced in November 2025, edtech provider Illuminate Education agreed to pay $5.1 million to New York, California, and Connecticut after a 2022 breach exposed data on millions of students, including 1.7 million in New York alone. Hackers accessed names, birth dates, races, medical conditions, and special education details—precisely the kind of information IoT breaches could unlock through network pivots. The settlement, enforced by state attorneys general, underscores poor data security practices, with New York securing $1.7 million specifically for its affected students.
Similarly, PowerSchool faced ongoing litigation over a breach impacting 62 million student records, where unauthorized access led to claims of non-consensual data collection. These incidents highlight common vectors like phishing, unpatched BYOD (bring-your-own-device) policies, and shadow IT—issues amplified when IoT devices serve as unsecured gateways into edtech platforms.
A Torrent of Privacy Lawsuits Targeting EdTech
The breach fallout has triggered a litigation storm in 2025, with schools and parents increasingly holding edtech firms accountable under laws like the Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and state privacy statutes. A class action filed in March against Instructure (parent of Canvas LMS) alleges improper student data handling, marking a case study in edtech privacy pitfalls.
August brought a win for defendants when Kirkland & Ellis secured the first dismissal of federal and state children’s privacy claims against an edtech company, involving K-12 student tracking. Yet, courts remain split: An October VPPA ruling expanded risks for social media tracking on educational sites, while a federal court denied dismissal in a pixel-tracking suit against Hillsdale College.
Surveillance tech is another flashpoint. A Knight Institute lawsuit in April accused a school district of using monitoring tools to spy on students’ digital lives without transparency. Broader enforcement pauses, like a temporary halt on Department of Education directives in April, signal regulatory flux but don’t quell the suits.
Charting the Path Forward: Recommendations for Safer Schools
To stem this tide, the Zscaler report urges zero trust architectures, AI-powered anomaly detection, and IoT segmentation—strategies that could prevent breaches at the source. For edtech users, experts recommend rigorous vendor audits, automated patching, multi-factor authentication (MFA), and clear data minimization policies. As one webinar on incident response notes, third-party risks demand proactive collaboration to navigate the “data breach apocalypse.”
Education leaders must balance innovation with ironclad privacy. While IoT promises engaging learning, unchecked growth invites exploitation. By integrating robust defenses and heeding lawsuit lessons, schools can protect their most valuable assets: the data and trust of their students.
