Cyberattacks on major classroom platforms like PowerSchool and Canvas have forced school districts to scramble to protect student records. Reactive school cybersecurity does not keep student records safe. IT experts recommend a proactive approach called Continuous Threat Exposure Management (CTEM) to stop hackers before they strike.
What Happened
In late April 2026, the hacking group "ShinyHunters" targeted Instructure, the parent company of the Canvas learning management system. Reports by CyberScoop show the breach compromised about 275 million student and teacher records across 8,809 schools worldwide. While EdTech Magazine reported that hackers claimed to steal 6.65 terabytes of data, Instructure maintained that the group stole 3.65 terabytes of records from its "Free for Teacher" service.
The incident hit local school communities. In North Carolina, school officials warned that classroom data from schools across the state was accessed during the incident, as reported by WRAL. Administrators in Needham, Massachusetts, confirmed the breach leaked student and staff names and email addresses, according to WCVB.
The attack escalated when hackers injected extortion messages onto the login screens of hundreds of schools. This forced Instructure to take Canvas offline, causing widespread outages during finals week. Instructure eventually paid a ransom to secure the return and verified destruction of the data, as reported by EdSurge. This breach follows other school security crises. As we previously reported, the student information platform PowerSchool also faced security incidents this year.
The Bigger Picture
Historically, school cybersecurity has been reactive. IT departments patch software vulnerabilities only after their discovery, or respond after a hacker has already entered the system. According to Netguardia, this creates patch backlogs that leave small, underfunded school IT teams struggling to keep up.
Security experts urge school districts to adopt Continuous Threat Exposure Management (CTEM). CTEM is a five-stage process involving scoping, discovery, prioritization, validation, and mobilization, as outlined by IONIX. Instead of trying to fix every system flaw, CTEM helps districts focus on vulnerabilities that pose the greatest risk to student safety and daily instruction.
The framework reduces security incidents. According to Gartner, organizations that use CTEM will suffer two-thirds fewer data breaches than those that do not. Still, implementing the process is difficult for public schools. According to Qualysec, a true CTEM model must operate 24/7 to identify threats in real time. Without dedicated staff, schools risk buying security tools without having the manpower to resolve vulnerabilities, as warned by IONIX.
What This Means for Families
While passwords, financial details, and Social Security numbers were not compromised in the Canvas breach, according to EdTech Magazine, the stolen information still puts students at risk. Exposed student names, IDs, emails, and private messages can be used by scammers to create convincing phishing emails aimed at children.
Classroom disruptions caused by system shutdowns also hurt student learning, especially during exams, as documented by EdWeek. Parents must monitor their children's digital accounts to protect their information.
What You Can Do
First, avoid alternative login paths. If school online portals are down, do not attempt to bypass the outage using bookmarked links or alternative search results.
Second, discuss phishing with children. Parents should teach kids not to click on strange links, download unexpected attachments, or reply to suspicious pop-up alerts on their learning dashboards.
Finally, advocate for better vendor standards. Ask school administrators and board members how they vet third-party EdTech vendors. Districts should demand that platforms prove they use continuous risk-monitoring practices before signing software contracts.