A massive cyberattack on the Canvas learning platform and a state audit of New York City Public Schools reveal gaps in student data privacy. As millions of students prepare for final exams, parents and educators face questions about how schools secure sensitive digital records.
What Happened
On Thursday, the Canvas learning management system went offline after a cyberattack. A hacking group called ShinyHunters claimed responsibility. They stated they accessed records and private messages belonging to 275 million users across 9,000 schools.
As we previously reported, the attackers used vulnerabilities in free teacher accounts. Instructure, the parent company, shut down these accounts and took Canvas offline to contain the issue. This disrupted final exams at colleges nationwide.
An official update from the company stated there is no evidence that passwords, dates of birth, or financial information were stolen. The scope of the exposure is still under investigation.
The Bigger Picture
The Canvas breach is a sign of instability in education technology. Instructure is currently facing its second security incident in eight months.
School districts struggle to manage these risks. A recent state audit from the New York State Comptroller found security flaws in New York City Public Schools. The audit identified vulnerabilities within the district's Automate the Schools system, which contains approximately 5 million student records.
Investigators found that the district lacks written policies for data classification, risk assessment, and backup procedures. It does not fully comply with the NIST Cybersecurity Framework, a requirement under state regulations.
Transparency is a problem. Between January 2023 and February 2025, the district experienced 141 data breaches. The district delayed reporting 48% of these incidents to the State Education Department and delayed notifying families 11% of the time.
The district does not maintain a complete inventory of third-party software used across its 1,600 schools. Without an inventory, officials cannot protect the data flowing through these apps. Schools use student monitoring tools that include activity logging capabilities to track websites visited. Some platforms use typing activity monitors and screen recording to track student work.
Human error is also a factor. In 2024, only 73% of employees finished the district's mandatory data privacy training.
What This Means for Families
Security failures cause operational disruptions. Taking platforms like Canvas offline during grading periods affects academic progress and increases stress for students taking final exams.
The lack of transparency from school districts and tech companies means parents often learn of a breach long after it occurs. When schools use unvetted software or fail to follow security protocols, student information—including academic records and private messages—is left vulnerable.
What You Can Do
- Request an app inventory: Ask your school's administration for a list of all third-party software approved for classroom use.
- Review district privacy policies: Check your local school board's website to ensure their data protection policies meet state and federal standards.
- Monitor school communications: Pay attention to emails regarding system outages or mandated password resets, as these can be indicators of a security breach.
- Check state breach laws: Learn your state's mandatory disclosure guidelines to understand when and how a school is legally required to notify you of compromised data.