Education Sector Edition — June 2026

2. Sector snapshot

Indian education and research organisations were hit by an average of 8,487 cyberattacks per organisation per week over a recent six-month window — nearly double the global average of 4,368 — per Check Point Research figures published in January 2026. Education remains one of India's most-attacked verticals: high-value identity data, weak SOC maturity, and sprawling SIS/ERP/LMS estates make it a soft, high-yield target.

Source:Check Point Research data, reported by GÉANT Security, 12 January 2026.

3. Threats targeting the sector

ShinyHunters exploits Oracle PeopleSoft zero-day to ransack universities — CVE-2026-35273. A CVSS 9.8 unauthenticated remote-code-execution flaw in PeopleSoft Enterprise PeopleTools (8.61/8.62, with older unsupported builds likely affected) was exploited as a zero-day from 27 May to 9 June 2026, before Oracle's out-of-band advisory. Mandiant/Google notified 100+ affected organisations; 68% were higher-education institutions, most in the United States. The University of Nottingham confirmed compromise as one of the first named victims, with ~455,000 records (current students and alumni) exposed. - Exposed: Internet-facing PeopleSoft SIS/HCM/Campus Solutions; PeopleTools 8.61/8.62 and older unsupported builds. - Action: Apply Oracle's 10 June 2026 fix immediately; until patched, restrict the Environment Management Hub (PSEMHUB) and block external access to vulnerable endpoints; hunt for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT markers and rogue MeshCentral agents masquerading as Azure binaries. - Source (11 June 2026): The Hacker News; Google Cloud / Mandiant; The Register.

National examination portal hit by coordinated DoS plus data-theft probing. On 2 June 2026, India's CBSE On-Screen Marking (OSM) verification portal — live as Class 12 students filed re-evaluation applications — absorbed roughly 1.5 million requests in 120 seconds (~12,500/sec) alongside 100,000+ unauthorised file-access attempts using path traversal, directory enumeration, API fuzzing, and session-token harvesting. The portal stayed up via rate limiting and load balancing. - Exposed: Time-bound examination and results portals; path-traversal and exposed-API surfaces under peak load. - Action: Pre-load WAF/CDN and rate limiting ahead of result/admission windows; close directory listing and fuzzing-prone endpoints; rehearse surge-day incident response. - Source (5 June 2026): CyberPeace Foundation technical breakdown.

Curated Indian student data weaponised for phishing, fraud, and mule networks. Researchers documented large troves of Indian student data — including ~12 million records from a school-search platform, ~682,000 student records from an education-services provider, and ~46,000 records tied to a major university — being advertised and used for phishing, identity theft, fraudulent fee collection, and resale. In one February 2026 case, a Bengaluru student's bank account was allegedly used to route funds through a mule network. - Exposed: Names, government IDs, banking details, DOB, enrolment, payment data, parent details, photos, signatures. - Action: Minimise and encrypt stored PII; enforce MFA on fee and admission portals; warn students/parents of cloned-site and fee-fraud lures. - Source (21 May 2026): CYFIRMA, via CybersecurityNews / GBHackers.

4. Sector tech & exposures

The month's incidents map onto the sector's core stack: SIS/ERP (Oracle PeopleSoft Campus Solutions, fee and admission portals), examination platforms, LMS, and research networks. PeopleSoft is widely deployed across large Indian universities for student records and HCM, so CVE-2026-35273 is directly relevant even though confirmed victims this month were predominantly outside India — Indian institutions running internet-facing PeopleTools should treat themselves as in-scope. Recurring exposure patterns: internet-exposed admin/API endpoints, path traversal on examination portals, misconfigured cloud storage holding exam and applicant data, and unsegmented research networks adjacent to student-data stores.

5. Regulatory & compliance watch

India's Digital Personal Data Protection (DPDP) Rules, 2025 make 2026 the sector's compliance "build year." Educational institutions and EdTech providers handling student and minor data are subject to stricter rules for children's data, including verifiable parental consent before processing data of under-18s and restrictions on behavioural tracking and targeted advertising directed at children. Key dates: Consent Manager Framework operational 13 November 2026; full compliance deadline 13 May 2027. Breaches require prompt notification to affected individuals and the Data Protection Board, with a detailed report within 72 hours; penalties reach ₹250 crore for safeguard failures and ₹200 crore for breach-notification failures. CERT-In's six-hour incident-reporting direction remains in force in parallel. Sources: Fisher Phillips (25 Feb 2026); DPDP Rules 2025 (Government of India); CERT-In Directions 2022 (in force).

6. Actor in focus — APT36 (Transparent Tribe)

Confidence: High (third-party attribution). APT36, a Pakistan-aligned espionage group assessed as state-aligned, has named Indian academic institutions among its targets alongside government and strategic entities in its most recent dated campaign. CYFIRMA reporting (30 December 2025 — the latest dated APT36 education-relevant activity at time of writing) detailed spear-phishing ZIP archives carrying LNK files disguised as PDFs, executing HTA scripts via mshta.exe to load a full-featured RAT (remote control, file management, exfiltration, screen capture, clipboard monitoring). Education is a recurring APT36 collection interest because campus systems bridge research, government linkages, and large credential pools. No new APT36 education campaign was confirmed in May–June 2026; defenders should treat the December TTPs as the current baseline. Source:CYFIRMA (30 December 2025).

7. IOC & detection pack

To avoid propagating uncertain values, this pack references public advisories rather than transcribing IOCs: - CVE-2026-35273 (PeopleSoft): Detection and mitigation guidance in Oracle's 10 June 2026 advisory and Mandiant/Google Cloud reporting. Hunt for the README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT artefact, anomalous PeopleTools EMH/PSEMHUB activity, and MeshCentral agents posing as Azure binaries. - APT36 LNK/HTA chain: Detection logic in CYFIRMA's December 2025 report — alert on mshta.exe spawned from LNK/ZIP, and on LNK files carrying embedded PDF content. - Exam-portal probing: Watch for path-traversal strings, directory-enumeration bursts, and API fuzzing against result/re-evaluation endpoints (per CyberPeace, June 2026).

No leaked or stolen data is reproduced here. Validate any third-party IOC list against the originating advisory before deploying.

8. Recommended actions

Board: Confirm DPDP readiness against the 13 May 2027 deadline and 72-hour breach-reporting obligation; fund SIS/ERP patching and SOC coverage given the sector's ~8,487 weekly-attack exposure; require a board-level briefing after any student-data incident.

CISO: Inventory all internet-facing PeopleSoft/PeopleTools and remediate CVE-2026-35273 now; enforce MFA across SIS, fee, admission, and exam portals; commission a data-minimisation and encryption review of student PII; pre-position WAF/CDN for result/admission surge windows.

SOC: Hunt for the PeopleSoft compromise artefacts and APT36 LNK/HTA behaviours above; tune detections for path traversal and API fuzzing on examination portals; monitor dark-web and paste sites for institution-branded student data; rehearse the 72-hour DPB notification workflow.

9. Source index

1. The Hacker News — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273), 11 Jun 2026: https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html 2. Google Cloud / Mandiant — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit, Jun 2026: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit 3. The Register — ShinyHunters claims Oracle PeopleSoft 0-day hit 100+ orgs, 11 Jun 2026: https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/ 4. CyberPeace Foundation — Inside the CBSE OSM Cyberattack, 5 Jun 2026: https://cyberpeace.org/resources/blogs/inside-the-cbse-osm-cyberattack-a-technical-breakdown-of-the-june-2026-incident 5. CybersecurityNews (CYFIRMA) — Indian Student Data Weaponized for Phishing, 21 May 2026: https://cybersecuritynews.com/indian-student-data-weaponized-for-phishing/ 6. GBHackers — Indian Student Data Weaponized in Phishing and Financial Fraud Campaigns, May 2026: https://gbhackers.com/phishing-and-financial-fraud-campaigns/ 7. GÉANT Security (Check Point Research data) — Indian universities face record 8,487 weekly cyberattacks, 12 Jan 2026: https://security.geant.org/indian-universities-face-record-8487-weekly-cyberattacks-student-data-sold-on-dark-web-report/ 8. CYFIRMA — APT36 (Transparent Tribe) Multi-Stage LNK Malware Campaign Targeting Indian Government Entities, 30 Dec 2025: https://www.cyfirma.com/research/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/ 9. Fisher Phillips — India's New Data Privacy Rules Are Here, 25 Feb 2026: https://www.fisherphillips.com/en/insights/insights/indias-new-data-privacy-rules-are-here 10. Digital Personal Data Protection Rules, 2025 — Government of India.

10. Byline