A security incident at K-12 software provider Infinite Campus exposed contact information for school staff through a compromised customer support platform. While early online rumors suggested a breach at learning management system Instructure, investigations confirm the unauthorized access was limited to an internal ticketing system, leaving core student databases secure.
What Happened
Online chatter initially pointed to a compromised database at Instructure, but those claims proved false. Infinite Campus confirmed that an unauthorized actor gained entry to an employee account within their corporate Salesforce instance. The company uses Salesforce for client support and ticketing, not for housing its primary student information system.
Internal investigations show the exposed records consist of names and contact details for school staff, which is information often found on public school websites. Infinite Campus reported no access to student databases. The company is currently scanning the compromised support tickets to determine if any educators included sensitive student information when requesting technical assistance.
The Bigger Picture
The educational technology supply chain is interconnected, and security depends on a vendor's weakest external tool. As we previously reported during the McGraw Hill data breach, secondary platforms like Salesforce are targets for hackers looking to bypass primary databases.
Under federal law, outsourcing technology does not mean outsourcing liability. The U.S. Department of Education holds school districts accountable for how third-party vendors handle student records. The Family Educational Rights and Privacy Act (FERPA) only mandates that districts exercise "reasonable care" without defining technical requirements. This regulatory gap often allows vendors to rely on self-reported security questionnaires instead of independent penetration testing.
District security is also hampered by "shadow IT"—software or apps purchased by individual teachers or departments without formal district vetting. When educators use unsanctioned tools, or share sensitive data through unsecured support channels, they bypass district cybersecurity protocols.
What This Means for Families
For parents, the takeaway is that core academic and demographic records in the Infinite Campus student information system were not compromised. The data exposed belongs almost exclusively to adult school staff.
This incident reveals a risk in the classroom technology ecosystem. Even when a district vets a primary software platform, the vendors rely on third-party customer service tools that can be vulnerable. If a teacher includes a student's name, ID number, or behavioral notes in a help desk email, that data exists outside the secure student database. Data privacy extends beyond the main app and into the operational tools companies use to maintain their software.
What You Can Do
- Ask your school district's technology director if their vendor vetting process includes independent penetration tests.
- Request details on how the district manages "shadow IT" to prevent teachers from adopting unapproved digital tools.
- Monitor communications from your district to see if Infinite Campus discovers any inadvertently shared student data within the compromised support tickets.