Canvas breach puts global education cyber risk in focus

Instructure's Canvas learning management system has suffered a major data breach affecting schools and universities worldwide, intensifying scrutiny of systemic cyber risk in education platforms.

Hackers claiming responsibility, including the ShinyHunters group, say they stole about 275 million student and staff records from the widely used platform. The dataset reportedly spans more than 7,000 universities and K-12 districts and includes years of academic activity. The attackers initially set a ransom deadline and threatened to release the information.

Some US universities, including Harvard and Northwestern, have postponed final exams after disruptions to Canvas access. The breach comes during peak exam season for many North American schools, which rely on the system for assignments, grading, and communications.

Security specialists say the incident underlines how deeply schools now depend on centralised cloud services. A compromise at one major SaaS provider can cascade across thousands of organisations at once.

Gareth Russell, Chief Technology Officer, Security for Asia Pacific at Commvault, said the education sector has become a prime target because of this concentration of digital operations.

"What this incident shows is that the education sector is now a serious target. The attackers didn't pick one school. They went after the platform thousands of schools rely on. Identity and shared platforms are the way in. For schools and universities, prevention on its own isn't the goal anymore. Resilience is. The harder question is whether you can keep operating, and recover, when something does land. The platform stayed up and teaching continued. That's the resilience win. But the data is already out there, and that part you can't roll back."

Security experts describe the Canvas hack as one of the most far-reaching education data thefts yet. Previous breaches typically affected a single campus or a narrow set of systems, rather than a core platform shared across so many institutions.

David Brown, Associate Director, Cyber Intelligence & Response at NCC Group, said the event illustrates the concentration of risk around a small group of vendors at the heart of teaching and administration.

"Beyond the immediate incident, this serves as a reminder of the systemic risk created by dependence on a small number of SaaS providers across the education sector. When core platforms are disrupted, the impact is felt by all affected institutions, regardless of their maturity. This underlines the importance of understanding the risk associated with your critical supply chain, and ensuring you have the resilience, assurance, and incident preparedness needed to respond in a crisis.

"This incident is among the most significant education-related data thefts seen to date. Previous incidents in the sector have often been limited to individual institutions or specific systems, whereas this event appears to have affected a significant number of organisations simultaneously. That breadth of impact is what makes it stand out, not just the volume of data involved, but the way a single compromise can cascade across an entire sector, affecting teachers and students globally. While similar breaches have been seen against SaaS-based platforms before, they have not typically concentrated their impact so clearly within a single sector.

Other industry experts stress the long lifespan of student identity data and the potential for fraud and abuse well beyond the immediate outage or extortion window.

Nabil Hannan, Field CISO at NetSPI, said the long-term risks extend beyond operational disruption.

"The Canvas breach highlights a growing systemic risk in education: schools are increasingly dependent on centralized SaaS platforms that create massive concentrations of sensitive identity data. A learning management system is not just a database. It can contain years of student communications, behavioural history, accommodations, and other highly personal information that becomes extremely valuable in the wrong hands. The long-term risk here extends far beyond operational disruption. Stolen student data can fuel phishing, impersonation, and identity fraud campaigns for years, particularly because children's identities often remain unused and undetected far longer than adult identities. This is why cybersecurity in education can no longer be treated as a simple IT issue. It is increasingly a student safety issue."

Industry concern has intensified after reports that Canvas paid the ransom demand. The decision has revived debate over whether such payments should remain legal and what effect they have on the wider cybercrime economy.

Mark Stockley, Cybersecurity Evangelist at ThreatDown, said the attack exposes the imbalance between well-resourced criminal groups and underfunded school IT teams, calling it a defining moment for the sector.

"The Instructure breach is a devastating attack on the nation's school system and a wake-up call to how outmatched many of our institutions are in the face of global cybercrime. This is extortion at a scale that should alarm every parent, educator, and policymaker in the country. Our thoughts are with the victims, and with the school IT teams watching this unfold knowing they could be next. These professionals manage complex environments on constrained budgets, where security competes with a hundred other priorities. It is a mismatch of colossal proportions, and the criminals know it. Nearly 30% of breaches start with some form of stolen identity, and ShinyHunters' attack was likely due to social engineering. It is unrealistic to expect every school to have a SOC in place, but the uncomfortable reality is that, with such significant identity turnover, schools, and US schools in particular, are only going to be targeted more. It is an easy ROI for cyber adversaries. We need to accept that reality and equip our schools for the fight ahead. Every school needs 24/7 protection capable of detecting attackers abusing trusted identities and legitimate system tools to move undetected through networks. This is education's Colonial Pipeline moment: the one that finally forces a reckoning."

Stockley has also called for more radical policy intervention on ransom demands.

"It's time to make ransomware payments illegal. The case for and against a ban has been debated for years. But while we've argued, ransomware attacks have continued to grow in frequency, scale, and impact. Now, with AI poised to remove many of the operational limits that still constrain cybercriminals, attacks like the devastating breach at Canvas risk becoming far more common. Ransomware is a criminal business model. Every successful payment funds the next attack. Every victim that pays not only puts a target on their back, but also finances the research, tools, and infrastructure that keep the cycle growing. It's time to break that cycle. Until every organisation has the security hygiene, resilience, and 24/7 protection needed to become an unaffordable target, we need stronger deterrents. Making ransomware payments illegal would not end the threat overnight, but it would strike at the economics that drive the ransomware ecosystem."

The breach has also highlighted how smaller institutions face the same level of threat as global corporations while operating with far fewer staff and tighter budgets.

Chris Wallis, Founder and Chief Executive Officer of Intruder, said smaller organisations are increasingly forced to defend against enterprise-grade threats with a fraction of the resources.

"We are seeing a disturbing trend where small and mid-sized organizations are forced to defend themselves against the same threats as giant enterprises like Google. In almost no other arena do you see such a massive disparity in resources versus the level of sophistication of the adversary. A company with a few hundred employees is often fighting the same battle as a firm with 180,000. These smaller teams are frequently facing hard times not because of a lack of skill, but because they are defending a global-grade attack surface with only a fraction of the necessary resources."