A cyberattack has targeted a software system used by colleges and universities nationwide, exposing the personal and financial records of thousands of students. The breach occurred between May 27 and June 9, 2026. It targeted Oracle's PeopleSoft software, which institutions use to manage financial aid, human resources, and student grades. This security failure comes just weeks after the same hacking group compromised the Canvas learning management system, showing a growing threat to student data privacy.
What Happened
According to a report by the Google Threat Intelligence Group and Mandiant, a cybercrime group known as ShinyHunters targeted a vulnerability in Oracle PeopleSoft. The hackers reportedly compromised over 100 organizations, and about 68% of those victims are in the higher education sector.
The attackers claim to have exfiltrated sensitive administrative data such as student financial aid records, health records, immigration statuses, dates of birth, and home addresses. The full list of affected schools is not public, but institutions like Nottingham University have already been identified among the victims.
This attack is part of an ongoing campaign by ShinyHunters. In May 2026, the group twice gained unauthorized access to the Canvas learning management system. That breach disrupted final exams at colleges and exposed the data of 1,616 K-12 school districts. These vulnerabilities affect students of all age groups.
The Bigger Picture
These breaches show a systemic vulnerability in educational technology. When schools contract with third-party software companies, they trust them to protect student records. However, federal privacy laws do not always hold these vendors directly accountable.
Under the Family Educational Rights and Privacy Act (FERPA), the legal responsibility to protect student records falls on the school, not the third-party vendor. If a vendor loses student data, the school may be found in violation of federal law, even though it did not control the security of the vendor's servers.
To address this, federal agencies are increasing enforcement against vendors using other laws, such as the Children’s Online Privacy Protection Act (COPPA). For example, the Federal Trade Commission's 2023 action against Edmodo rejected the idea that companies can shift all privacy responsibilities onto schools. As we previously reported on school data security, educational institutions remain main targets because of the financial and personal data they store.
What This Means for Families
For parents and college students, a breach of this scale poses a risk of identity theft and financial fraud. A credit card is easy to replace, but stolen social security numbers, birth dates, and addresses can be used to open fraudulent accounts for years. These disruptions to administrative systems like PeopleSoft and Canvas also delay tuition payments, financial aid disbursements, and grades.
What You Can Do
Parents of college students and older high schoolers should regularly check their children's credit reports. Freezing credit files with the three major credit bureaus can prevent unauthorized accounts from being opened.
It is also useful to ask schools which third-party vendors handle student financial and academic data, and inquire about how they vet these vendors' security practices.
Finally, students should use strong, unique passwords and enable multi-factor authentication (MFA) on all school portals, especially those linked to bank accounts or financial aid profiles.