Recent cyberattacks on major education technology platforms have exposed the personal data of thousands of school employees and raised fresh concerns about student privacy. Hackers successfully breached widely used student databases and international school networks. These incidents have prompted school districts to re-examine their security protocols, showing the vulnerability of the software systems that parents and educators rely on daily.
What Happened
In March 2026, the hacking group ShinyHunters breached the Salesforce environment of Infinite Campus, a student information system used by over 3,200 school districts to manage data for 11 million students, as reported by BleepingComputer. The breach exposed the personal information of 137,100 school staff accounts, leaking phone numbers, physical addresses, usernames, and support tickets onto the dark web. Infinite Campus confirmed that no student databases were compromised during this attack.
In early June 2026, the Singapore Personal Data Protection Commission launched an investigation into a cybersecurity incident at the Global Schools Group. A hacking group named FulcrumSec claimed responsibility for stealing 4.8 terabytes of data, including passport numbers, financial details, and correspondence belonging to students, staff, and parents. While the group operates internationally, school administrators stated they successfully restored affected systems and minimized operational disruptions.
The Bigger Picture
These breaches are part of a wider trend. Earlier this year, a data breach targeting the learning management system Canvas affected 8,809 educational institutions, leaking 6.65 terabytes of data. As we previously reported, school districts are adopting proactive security policies to manage these third-party risks.
Schools face a severe resource gap when trying to secure their networks. According to the 2026 State of EdTech report by CoSN, cybersecurity is the single highest priority for technology leaders. Yet 65% of EdTech leaders cite a lack of a dedicated budget and insufficient staffing as their primary barriers to defense. This funding shortfall leaves IT departments struggling to defend against artificial intelligence-accelerated threats with limited personnel. Many districts are also dealing with digital clutter. As we have documented, schools are auditing and clearing out unproven digital tools to reduce their overall attack surface and secure student data.
What This Means for Families
For parents and educators, the immediate risk is rarely school closures, but rather long-term identity theft and targeted phishing scams. Hackers use stolen directory information, email addresses, and phone numbers to construct highly convincing phishing campaigns. When passport numbers and home addresses are leaked, as occurred in the Global Schools Group incident, the risk of financial fraud and identity theft increases significantly.
These breaches show that school security is only as strong as its weakest third-party vendor. Even if a school district has strong internal firewalls, a vulnerability in an integrated software platform like Salesforce or Canvas can expose the entire community's data.
What You Can Do
Parents and staff can take several steps to protect their information. First, check your personal security settings by making sure parent portals and student accounts use strong, unique passwords. Enable two-factor authentication (2FA) wherever available to prevent unauthorized access.
Be highly skeptical of unsolicited emails, texts, or phone calls claiming to be from your child's school. This is especially important if they ask for sensitive information, passwords, or payments.
You can also advocate for school IT funding. Encourage your local school board to allocate dedicated funds for cybersecurity staffing and continuous monitoring, rather than treating digital security as an afterthought. Finally, ask school administrators how they vet third-party apps and whether they have incident response plans in place to handle potential data leaks.