As we previously reported, a major cybersecurity incident at Instructure exposed student and staff data across the Canvas learning platform. The company is investigating the breach, while a cybercrime group claims to have stolen information from thousands of schools and universities.
What Happened
The extortion gang ShinyHunters claims it stole 280 million records from 8,809 educational institutions. Hackers harvested this data by using standard administrative features, including provisioning reports and user application programming interfaces (APIs). The compromised information includes user names, email addresses, student identification numbers, and private messages.
Instructure confirmed a cyber incident occurred and is working with forensic experts to determine the impact. They have not released a public list of the affected organizations. Hackers have defaced school login pages with extortion threats, and some institutions report outages preventing students from submitting assignments.
The Bigger Picture
The educational sector faces constant threats, but the nature of these attacks is changing. Despite reports of cybercrime in education, overall ransomware attacks against schools plateaued in 2025. Ransomware incidents against the sector saw a 23% decline between late 2025 and early 2026.
However, the volume of exposed records increased because of third-party software vulnerabilities. This threat is global. A survey from the UK government found that 98% of higher education institutions and 73% of secondary schools identified at least one cyber breach in the past year.
The Canvas breach points to a structural issue known as platform concentration risk. Major educational tools are controlled by a few large, private-equity-owned corporations. For example, Bain Capital acquired PowerSchool for $5.6 billion, and Instructure was purchased for $4.8 billion.
This market consolidation limits the autonomy of local school districts and creates switching costs, locking schools into specific vendors. When a dominant platform like Canvas experiences a security failure, thousands of institutions are impacted simultaneously. Because these proprietary systems lack interoperability, schools often cannot move to alternative platforms during an outage.
What This Means for Families
When a data breach occurs, the legal responsibility to protect student information falls on school districts under the Family Educational Rights and Privacy Act (FERPA).
To share data under the "school official" exception, schools must have a formal Data Privacy Agreement (DPA) in place. Compliance often lags behind technology adoption. Currently, 42% of districts using AI tools have not executed the necessary agreements.
Effective vendor oversight requires a proactive, repeatable operating discipline. Before approving a new classroom tool, administrators must verify how data is secured, what information is necessary for the tool to function, who has third-party access, and how the district maintains control if a vendor's policies change. Without these agreements, schools operate with high legal and privacy risk.
What You Can Do
- Wait for official guidance: Because Instructure has not published a central list of impacted users, look to your specific school district or university for confirmation on whether your data was compromised.
- Watch for phishing: With email addresses and internal messages exposed, be vigilant regarding unsolicited emails that appear to come from school officials.
- Ask about Data Privacy Agreements: Parents can contact their school board or IT department to ask if the district requires signed DPAs for all educational software.