A wave of cyberattacks targeting major education technology platforms has exposed the sensitive records of millions of students, parents, and school staff. As we recently noted in our coverage of surging school data breaches, these incidents show the growing risks families face as classrooms become increasingly digital. School districts and parents now face the reality that basic school portals are primary targets for global cybercriminals.
What Happened
Several prominent EdTech companies and school networks have suffered major security breaches. The extortion group ShinyHunters recently targeted Canvas, a widely used learning management system. According to reports from SecureWorld, the hackers claimed to have compromised records tied to roughly 275 million users across nearly 9,000 schools worldwide. While the platform's developer, Instructure, reached an agreement with the hackers to destroy the stolen data, the FBI warns that such agreements do not guarantee data safety. The breach accessed names, email addresses, student IDs, and private user messages containing details like medical conditions or Title IX disclosures. However, Lyrie Research reports that passwords and financial data were not compromised.
Meanwhile, ShinyHunters also breached the student information system Infinite Campus. An investigation by BleepingComputer confirmed that a compromised Salesforce instance leaked the personal details of more than 137,000 unique school staff accounts. Fortunately, Infinite Campus reported that no customer databases containing student records were accessed in that specific incident.
On an international scale, the Singapore-based Global Schools Foundation fell victim to a massive cyberattack by the extortion group FulcrumSec. As reported by Channel NewsAsia, Singapore’s Personal Data Protection Commission is currently investigating the incident. While the full scale remains unverified, BreachNews notes the hackers claim to have exfiltrated 4.8 terabytes of data, including 33,088 passport numbers belonging to children and their parents, along with millions of internal school messages detailing discipline, bullying, and mental health issues.
The Bigger Picture
These breaches show a systemic issue in the rapid expansion of educational technology. The average cost of an education-sector data breach has now climbed past $4.5 million. This rise shows the high financial value of student data. This risk increases because of "Shadow IT," a practice where individual teachers bypass formal school district procurement channels to use unvetted, free applications in the classroom.
Many educators and parents do not realize where the legal liability lies when data leaks occur. Under the Family Educational Rights and Privacy Act (FERPA), the school itself, rather than the technology vendor, is legally responsible for compliance. If a vendor mishandles student data, the school district faces federal investigation and the potential loss of funding. Such leaks also cause severe reputational damage. Schools must maintain "direct control" over how these external vendors handle student data.
What This Means for Families
For parents, these breaches mean that classroom tech is no longer a private sandbox. Stolen directory information, combined with personal messages, leaves families vulnerable to sophisticated phishing attempts and long-term identity theft. Minors are particularly lucrative targets for identity thieves because they have clean, unmonitored credit histories that can go unchecked for years.
What You Can Do
Schools and families must work together to demand better digital safety.
First, school boards must adopt repeatable evaluation policies, such as the Datapath security checklist, to ask critical questions about how vendors store, protect, and share student data before signing any contracts.
Second, districts should explicitly separate standard "directory information" (which parents can opt out of) from highly sensitive "education records" like grades and medical plans. They must apply much stricter technical controls to the latter.
Finally, parents should ask their children’s teachers which platforms they use and verify that their school district has officially approved those tools, eliminating the use of unvetted "Shadow IT" apps.