Through a single compromise, threat actors can gain access to thousands or hundreds of educational institutions across a wide range of industries. The recent attacks on the Canvas platform of Instructure, which disrupted online examinations, as well as the large-scale security breach of PowerSchool, which exposed sensitive student data, underscore how cybercriminals are evolving their tactics so that they can maximize operational disruption, data theft, and financial leverage by striking the technology ecosystem instead of the end users. 

With an increased reliance on cloud-native educational infrastructure, financial motivated threat actors have also become increasingly exposed to attacks. Recent activity attributed to groups such as ShinyHunters and FulcrumSec indicates this shift toward more targeted and technically sophisticated attacks against the EdTech sector. 

The ShinyHunters hacking collective has been reported to have compromised learning platforms serving educational institutions around the world, allegedly stealing millions of records containing names, email addresses, physical addresses, and other personally identifiable information (PII) from them. 

Several security assessments have linked these compromises to vulnerabilities such as insufficiently protected API endpoints and exposed cloud databases, vulnerabilities that frequently appear when rapidly expanding EdTech providers prioritize scalability over mature security controls. Data exposed on dark web marketplaces has increased the risks of phishing, credential abuse, identity theft, and follow-on attacks, reinforcing concerns that the adoption of student information systems, learning management systems, and other cloud-based academic platforms outpaces the establishment of robust cybersecurity governance within the education technology supply chain. 

In March of 2026, ShinyHunters allegedly compromised the widely used Infinite Campus Student Information System (SIS) and exfiltrated personally identifiable information from more than 137,000 school staff accounts through a Salesforce-related data theft incident. The campaign has continued to expand in scope throughout 2026.

Considering Infinite Campus' extensive footprint in the U.S. education sector, the breach has broader implications for the organization. Infinite Campus supports approximately 3,200 school districts and manages records for approximately 11 million students from 46 different states. As of June 16, 2026, ShinyHunters also identified Glendale Community College, Moody Bible Institute, Illinois Central College, and Houston City College as its latest victims. 

In contrast to conducting isolated attacks against individual campuses, the increasing victim list illustrates a deliberate strategy to target centralized education platforms that can affect multiple institutions at once rather than focusing on isolated attacks.

There has been a parallel escalation in the ransomware ecosystem where FulcrumSec has claimed responsibility for a large-scale breach involving a Singapore-based international educational network, the Global Schools Foundation. Several critical systems across multiple countries were disrupted as a result of the attack, resulting in a substantial amount of sensitive information being stolen. Students and staff had limited access to essential academic and administrative services as a result of the attack. 

In an unsuccessful ransom negotiation, the group threatened to publish the stolen information. There are 33,088 passport records in the stolen dataset, covering 66 nationalities, 221 million attendance records, 9.4 million internal messages, 143,494 employee salaries, over 616,000 emails attaching medical and identification documents, 112 source code repositories, 168 entries in AWS Secrets Manager, and evidence of a previous ransomware attack dating back to 2022. 

FulcrumSec has previously been connected to cloud-focused intrusions involving platforms hosted on Amazon Web Services, MongoDB, and Google Cloud Platform (GCP), reflecting an attack that extends beyond personal data into operational infrastructure, application code, and cloud secrets. In addition to breaches affecting LexisNexis and Australian fintech company youX, which underscores a consistent focus on cloud-resident data and double extortion activities, these breaches demonstrate an increased focus on cloud-resident data. 

Although large-scale ransomware campaigns continue to make headlines, not every breach in education stems from sophisticated intrusion techniques. By misconfiguring third-party cloud applications, sensitive information may be exposed just as effectively, without the attacker having to overcome security controls in any case. 

One such incident was brought to the attention of the school by parents who discovered that a feature within a third-party absence management platform provided families with the opportunity to view free-text comments submitted by other parents regarding requests for student absences. While the vendor confirmed that the attached attachments were inaccessible, the exposed comment fields may contain sensitive information voluntarily provided by guardians, including medical appointments, illness details, and other private information about students. 

In this instance, it demonstrated how seemingly minor application logic errors can adversely affect data confidentiality when privacy controls are not appropriately implemented. Upon discovery, both the educational institution and its software provider coordinated an incident response. After informing the vendor of the vulnerability, they were able to develop and deploy a software update that remedied the vulnerability prior to ensuring their own environment was updated. 

Besides applying the fix, administrators were required to conduct a comprehensive forensic investigation to determine the duration of the exposure, determine which records were visible, identify users who accessed the vulnerable feature by analyzing system logs, and determine what categories of personal information may have been compromised as a result. 

According to those findings, the incident met the requirements for mandatory regulatory reporting and formal notification was required for affected students, parents, and guardians. At the same time, the institution was required to maintain communication with the families who initially reported the issue while documenting the incident for compliance purposes. 

Due to the vulnerability affecting a shared cloud platform, the vendor was required to notify each school which used the feature, distribute an updated version, and ensure these schools applied the update. This incident illustrates how vulnerabilities within centralized education platforms may rapidly evolve into ecosystem-wide risks. It is equally up to software providers to provide timely patches and transparent communication as it is up to educational institutions to protect student data. 

Together, these incidents demonstrate that effective cybersecurity does not limit to the protection against external attackers in the education sector. The breach response process requires significant operational effort, which involves technical teams, compliance personnel, vendors, and institutional leadership, regardless of whether the root cause is ransomware, cloud misconfigurations, insecure APIs, or human error. Additionally, these incidents illustrate the importance of good vendor governance, secure software development, continuous risk assessments, and an incident response plan that has been extensively tested.

With instructional institutions increasingly relying on cloud-based platforms, organizations that invest in proactive security controls and supplier oversight will be better prepared to minimize operational disruptions, protect sensitive data, and comply with regulatory requirements. 

As schools increasingly rely on interconnected cloud platforms to deliver educational services, the sector has experienced a fundamental shift in its cyber risk profile, making software providers and technology partners just as important as schools themselves to the protection of institutional information. Operational resilience has been demonstrated in recent incidents to depend on continuous vendor oversight, secure software development, timely vulnerability remediation, and coordinated incident response throughout the education technology ecosystem as a whole. 

A continued pursuit of high-impact supply chain opportunities by threat actors will require strengthening third-party risk management and incorporating security into all phases of software development in order to protect educational continuity, safeguard sensitive data, and maintain trust across digital learning environments.