A cyberattack against one of the world’s largest digital education platforms has forced attention onto the vulnerability of U.S. schools’ data.
Instructure, the company behind Canvas, a learning management system used by thousands of schools which has 30 million active users, had its service interrupted late last week. According to a company statement, hackers breached Instructure’s “free for teacher” account, or those specifically offered to give teachers access to Canvas courses.
The criminal hacking group ShinyHunters claims to have stolen 275 million records from roughly 9,000 educational institutions around the world, per reporting from Security Week.
In the latest, at the beginning of this week, Instructure published a note saying that it had reached a deal with the hackers to return the stolen data and had received digital confirmation of data destruction, along with assurance that none of its customers would be extorted. The note did not mention what Instructure gave in return. But the note announced a webinar with “Instructure leadership” scheduled for Wednesday.
According to Instructure, this is the second data breach within the year. The latest included a breach of customer — including teacher and students’ — email addresses, usernames, enrollment information and course names.
The attacks happened around finals for many colleges. Canvas was back online as of Saturday, according to a note about the incident on Instructure’s website. But at least six universities and school districts in a dozen states sent out alerts noting they had been impacted by the attack, according to reporting from CNN. Prior to Instructure's deal, CNN noted that ShinyHunters had set a Tuesday deadline for schools to “negotiate a settlement.”
The education sector is an attractive target for hackers, with experts describing it as “target rich, resource poor.”
The breach comes amid immense frustration and legislative pushback against the extent schools have become reliant on edtech since pandemic closures forced schools to rush to embrace digital instruction and tools. Some wonder whether the attacks raise thorny questions about trust and the ability of schools to respond when outside vendors are targeted.
While this latest incident has renewed attention, cyber attacks against schools are not a new concern. Cybersecurity was even identified as a top concern in EdSurge’s 2025 trends forecast.
Indeed, the frequency of attacks has increased dramatically in recent years against both higher ed and K-12 schools, and some experts worry that AI is making attacks more sophisticated.
The figures are startling. For example, 82 percent of K-12 organizations reported a cyber security incident, according to a 2025 report from the Center for Internet Security, which noted 9,300 confirmed incidents.
Schools have struggled to figure out how to respond to new cybersecurity threats. Here are some notable highlights from the past few years:
- 2022: A cyberattack against Illuminate Education made the rounds. In 2018, the European Union passed the General Data Protection Regulation, or GDPR, providing clarity into what data protection parents, teachers and students should get. But a few years later, during the Illuminate attack, experts noted that the U.S. lacked a national consensus, though states were beginning to pass legislation.
- 2022: Later that year, after a major attack against Los Angeles Unified School District, one of the largest in the country, experts warned EdSurge that schools represent “honey pots of highly sensitive information.” In that attack, a ransomware gang dumped 500 GB of files, including sensitive student and teacher information, on the dark web when the district refused to pay.
- 2025: Early into the Trump administration’s second term, experts noted that coordinated federal attacks had been impacted by cuts, weakening federal support for schools. At the time, districts noted that they were operating “in the dark” with an uncertain future around cybersecurity issues.
- 2025: In a two-part EdSurge series, “Under Siege: How Schools Are Fighting Back Against Rising Cyber Threats,” reporter Ellen Ullman tracked how districts around the country are responding to AI’s rise in cyber incidents. Ullman’s reporting found that many schools remain weak on the fundamentals of cybersecurity, with small schools becoming attractive targets for cyber criminals. Schools are having to learn that the first line of defense against scams is humans, Ullman notes.
Some argue that the latest attacks are a sign that institutions need more meaningful expectations around cybersecurity, since the audits and certifications they currently rely on are failing to safeguard student data.
“Too often they serve as compliance theater and as weak shields against liability,” wrote Douglas Levin, national director of K12 Security Exchange Information, on social media.
Over the years, cybersecurity experts have shared a range of tips for schools to stay secure — from educating staff and students to seeking outside help to deal with the mounting threat.
With increasingly sophisticated attacks, there’s more than ever pressure for schools to secure student data despite all the challenges.
