How School Data Breaches Threaten Student and Employee Privacy

A major cyberattack at Mount Royal University highlights the rising threat of educational data theft. Learn how families can protect their digital records.

Wednesday, July 8, 2026

Key Takeaways

  • Mount Royal University suffered a data breach where hackers stole files from individual user drives and deleted departmental data, impeding recovery efforts.
  • While Mount Royal University offered credit monitoring only to employees, Goodwin University extended 24 months of identity protection to both students and staff after its early 2026 breach.
  • Educational cyberattacks rose 23% year-over-year in early 2025. Hackers are increasingly targeting and deleting institutional backup systems to force ransom payments.
  • Security experts advise schools to implement the '3-2-1' backup strategy. Under this approach, institutions keep at least one disconnected, offline copy of all critical student and academic records.

Mount Royal University in Calgary is recovering from a major cyberattack that resulted in the theft and deletion of sensitive student and employee data. The incident, first detected in June 2026, compromised individual storage drives and disrupted campus services. This breach is part of a growing wave of cyberattacks targeting educational institutions, leaving parents and educators concerned about digital safety and data recovery.

What Happened

According to the university’s official incident response page, an unauthorized third party breached the school's "H drive," a file storage system used by individual employees and students. The hackers accessed and stole specific folders before deleting the data to disrupt recovery efforts. The university also reported that its "J drive," which stores departmental data, was completely deleted. Officials found no evidence that this specific departmental information was copied before deletion.

The university contacted law enforcement and the Alberta Information and Privacy Commissioner. To address the risk of identity theft, the administration is offering two years of free credit monitoring and identity protection services, but only to current and former employees from the past five years. Affected students will be notified, but they have not been offered the same automatic credit monitoring protections.

The Bigger Picture

This incident highlights a sharp increase in cyber threats facing educational institutions. Ransomware attacks on schools, colleges, and universities rose 23% year-over-year in the first half of 2025, according to data published by eCampus News. These attacks are becoming more malicious. Hackers no longer just encrypt data, but now actively destroy backups. Modern threat actors use compromised admin credentials to locate and wipe out cloud-hosted recovery points, a process that can occur in less than 30 minutes, as detailed by Computer Integration Technologies.

When breaches occur, the standard for student protection varies widely. For example, when Goodwin University resolved a security breach in early 2026, a legal investigation by Dapeer Law showed that Goodwin offered 24 months of free credit monitoring to both current and former students and staff whose information was compromised.

Meanwhile, large-scale learning platforms are also targets. In April 2026, the popular Canvas learning management system suffered a massive breach. According to reports from Money.com, hackers stole 3.65 terabytes of data, including student names, email addresses, and enrollment records. Security researchers at Krebs on Security noted that the stolen files included private messages between teachers and students. The platform's parent company, Instructure, ultimately paid a ransom to the hackers to obtain proof that the stolen files were destroyed.

What This Means for Families

When school systems are breached, the immediate risk to families is not just financial fraud, but targeted phishing. Hackers use stolen names, email addresses, and class schedules to construct highly realistic messages designed to trick parents or students into revealing passwords or financial details. When school servers are wiped, students risk losing critical coursework, portfolios, and academic records.

As we previously reported regarding what security audits mean for student privacy, digital learning tools must be held to rigorous data protection standards. When institutions rely on insecure legacy drives, they leave sensitive data vulnerable to permanent deletion.

What You Can Do

Students should not rely solely on school-provided servers to store their coursework. Adopt the "3-2-1" backup strategy recommended by the UK Department for Education. This involves keeping three copies of important files on two different devices, with one copy kept offline or on a personal cloud drive.

If your school or university is affected by a breach, change your login password immediately. If the school uses Single Sign-On, update your primary institutional password, and do not reuse this password on external personal accounts.

Be skeptical of unexpected emails or text messages claiming to be from school administrators, professors, or financial aid offices, especially if they ask for urgent action or personal details. Verify the request through an official phone directory or trusted campus portal.

Share: