EdTech Attackers Shift From Schools to Their Software Suppliers

CYBERATTACKS & DATA BREACHES CYBER RISK NEWS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. EdTech Attackers Shift From Schools to Their Software Suppliers Educational institutions, the edtech companies they rely on, and, more concerningly, the challenges they pose for schools are the focus of the latest Reporters' Notebook video series. Arielle Waldman,Features Writer,Dark Reading June 25, 2026 SOURCE: DARK READING Threats against the education sector have mounted over the past five years and are becoming even more widespread, as attackers set their sights on educational technology (edtech) vendors. Rather than conducting ransomware or other attacks against an individual school or district, cyberattackers now target learning management systems (LMS) and other educational applications to victimize hundreds, if not thousands, of institutions in one fell swoop.  The attack by Shiny Hunters against Instructure's LMS Canvas earlier this year — forcing the Canvas platform offline during a time when many students had final examinations — is a prime example of how disruptive these attacks can be. The gang also claimed responsibility for not one but two attacks against Instructure in one month.  This was not the first attack against edtech. Two years prior, Powerschool, an edtech cloud-based platform for K-12, gave into ransom demands following a data breach where threat actors took off with students' names, Social Security numbers, medical information, and academic records.  Related:Processes & Culture Top Reasons Behind Data Breaches It's that kind of high-value information, combined with the institution's often limited security resources, that makes targeting edtech so appealing to cyberattackers. That doesn't mean higher education institutions with more resources escape scrutiny. The innovative research data at those institutions is attractive to attackers, too. Three reporters — Dark Reading's Arielle Waldman, TechTarget SearchSecurity's Sharon Shea, and Cybersecurity Dive's Eric Geller — share what they've learned while speaking to industry experts on how the edtech ecosystem and the relationship between vendors and educational organizations will evolve. Companies and organizations could start pushing to add specific cybersecurity requirements into their contracts with the vendors. Learn more in the video transcript below, and check out other episodes in the Reporters' Notebook series for insights and coverage from across Informa TechTarget's three cybersecurity publications.  Arielle Waldman, Eric Geller & Sharon Shea: Full Video Transcript This transcript has been edited for clarity and length by Informa TechTarget's internal AI assistant. For the full experience, please watch the video.  Dark Reading's Arielle Waldman: Hi, everyone, welcome to another edition of the Reporters' Notebook. Today we're going to be discussing the education sector and all the issues that they've been facing. My name is Arielle Waldman and I'm a features writer for Dark Reading. I have Sharon Shea and Eric Geller with me. Would you like to introduce yourselves?  Related:Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure Cybersecurity Dive's Eric Geller: Yes, I'm Eric Geller, senior reporter at Cybersecurity Dive.  TechTarget SearchSecurity's Sharon Shea: Hi, I'm Sharon Shea, executive editor on TechTarget SearchSecurity.  Thank you all for joining us today. We're excited to chat about ed tech and the educational sector and cybersecurity. So, we're kind of coming off at the heels of the what folks are calling the biggest attack on education in history. In late April and early May, edtech company Instructure confirmed a cyberattack on its Canvas Learning Management System. Threat group Shiny Hunters claimed responsibility for the attack and said that they stole 3.65TB of data, including information from 275 million users across almost 9,000 schools. As of May 11, Instructure said it had reached an agreement with the attackers and that the software is safe to use. I don't think we know if they paid a ransom or not, but whatever "reached an agreement" means.   And then again, just last week, Shiny Hunters also claimed responsibility for further attacks on higher ed, reportedly exploiting the Oracle PeopleSoft software suites, [the vendors] for ERP, CRM, [and] HCM, and they have campus applications to help higher ed manage student records, admissions, financial aid. Google noted that while some organizations were able to block or remediate the vulnerabilities before this latest round of attacks, others are compromised and have had their data published on data leak sites. So, education is unique. It's up against a lot of threats and this just kind of touches on the supply chain side, the software supply chain, and you know organizations getting hit because of their software suppliers, as in through Canvas and the PeopleSoft software.  Related:Scope of Salesforce Attacks Expands as Icarus Leaks Data And also a bit of the ransomware in there too, right? Because they spoke with the attackers and reached an agreement. So, Arielle, I didn't know if you want to talk a little bit more about other attacks that you've seen and written about and what you have experienced. Well, not experienced, but …  DR's Arielle Waldman: Sure. Yeah. Yeah, this seems to just be the latest supply chain attack. I think one issue is kind of the concentrated area of schools only use certain platforms and software. And they've just experienced so many attacks in the last five years alone. In 2023, there was a big one with Progress Software's MOVEit. It's a file transfer that schools use, and that was also a ransomware attack, and that affected a lot of schools as well, another supply chain ransomware situation, which is so common against the sector. And then the PowerSchool data breach that happened a couple of years ago. PowerSchool is an ed tech cloud-based platform. It's used in K through 12 schools. And in that case, it was a data breach and attackers made off with names, addresses, birth dates, academic records, and even medical information.  And in that case, I think it was confirmed that they paid a ransom to have the files deleted, which does seem common, maybe in the education sector. I don't know if it's always confirmed, but like you said, it seems like they talked with the attackers, which maybe insinuates that they did pay a ransom since the data is so valuable and sensitive when it comes to students. And with the most recent with Canvas, it happened during finals week, which put another kind of hurdle, kind of disrupted school even more so. Though I don't think the students were that upset. I saw a lot of things on social media with students kind of thanking Shiny Hunters for disrupting their finals and things like that, which, you know, I think kids are so immune to it nowadays that their schools are just being attacked and they receive data breaches, as [does] everyone, and these attacks just continue to show that.  Eric, do you wanna kind of dig into why schools are such a big target?  CD's Eric Geller: Yeah, it’s a kind of a toxic combination of a bunch of factors. First, they, you know, have a lot of data. Second, they have a lot of data about people who are at the very beginning of their lives. So Social Security numbers and personal information is gonna be usable for a lot longer because these people are so young. If you steal that information, you have in some cases 80 more years of usefulness from it if the person doesn't change some of that information and you can't, you know, change the Social Security number. So that there's the lifespan of the data is so much longer and when you combine that with the fact that these are not well protected organizations, they're funded by local governments. They have dire needs outside of cybersecurity that receive a lot more of the funding, teacher pay infrastructure. They’re not only valuable targets because of the data that they hold, but they're easy targets because of the networks that they run.  There's also another security issue for them because you know, a lot of them will give out tablets, and it's not always easy to manage the security of the tablets. Same with laptops, but also students are bringing their own devices to school. If you think about a business environment where you're trying to enforce a managed device policy because of the security risks of BYOD, it's so much harder in a school environment. So, you have all these outside devices coming into the network and if you could sort of think of it as an insider threat where the student doesn't have malicious intent.  But if the attacker is able to break into the student's device because they're not prioritizing cybersecurity, and who among them is, that's another vector for them to get in. And then they can move across the network because that computer is given access to the network infrastructure at the school. So, these are places that don't have the money to prioritize cybersecurity. They have a hard time often attracting top-tier cybersecurity experts to work for them. They're connected in some cases to other local government infrastructure and that infrastructure is also vulnerable. And so all of that kind of helps explain why it's easy to get in. And then of course as I said, once you get in, there's a lot of good stuff to take. So, the combination of those things makes them really, really easy and valuable target.  DR's Arielle Waldman: I was gonna add in one thing. The students are also posing insider threats as well. They're trying to hack into the system sometimes, either just kind of to see if they can hack or to change grades, maybe to their computers are, you know, just get around the security measures so they can break out onto the Internet. They'll try to hack in that way.  TTSS's Sharon Shea: Yeah.  DR's Arielle Waldman: So, it's just schools are experiencing these threats from so many angles, not just attackers. Obviously, like you said, students aren't trying to be malicious, but it really just adds to the noise. And like you said, they're so under-resourced and understaffed. The adding to any noise, it makes these teams, you know, they're already busy and they don't have time to sort through the noise and find out it's a student and they just kind of take more resources. So, schools just have it from all ends.  TTSS's Sharon Shea: Absolutely. I was also gonna touch on what you mentioned, you know, the Social Security numbers and everything of the students and you also have their parents, you know, folks who are also signing for the financials and everything. You have the staff, you have other faculty, and even the financial aid data, payment data, and a lot of healthcare information too [that] will roll through the school as well. So, another big vector. And also a lot of the higher ed organizations are, you know, research facilities. So, you have all of that intellectual property also at risk.  CD's Eric Geller: Right, you have on the one end the students in the K-12 sector who are, you know, at the beginning of their lives and their data is very valuable. And then at the other end, you have the top-tier research universities where the students are a little older, but the other data is so much more valuable because it's not the parents' financial info. It's in some cases this, you know, patentable intellectual property, this confidential data about applied research innovations and, you know, we're talking about this in the education sector, but there is also an overlap with the defense sector because some of the universities do have defense contracts. Or if it's not military related, they're working on scientific research for the government in other contexts. So, it is an interesting duality that you have, you know, the youngest of the young kids where you don't really care about what they're learning in school. You're not trying to get their arithmetic homework, but they as identity theft victims are so valuable. And then at the other end, the students are actually, because of what they're doing, more interesting than the identity of the people who are in the school.  TTSS's Sharon Shea: I think, too, we touched on the resources of schools as well. You know, a lot of schools are on legacy infrastructure like older companies and those are difficult to patch, difficult to manage with limited budgets and limited staff.  DR's Arielle Waldman: Great point. Can't afford the downtime often to patch as well, yeah.  TTSS's Sharon Shea: Absolutely. And beyond kind of the BYOD issue and kind of insider threats, what other sort of problems are we seeing with the infrastructure and why there are issues among education higher ed?  CD's Eric Geller: Well, I think one big challenge is these school districts don't have a lot of leverage with their vendors to enforce procurement requirements. So, one of the things that I think you're gonna start to see is local governments will really try to package together the software that they need across the county or across, maybe it's the state, so that they can get better terms with the vendors so that they're putting in a larger purchase order, they have a little bit more sway with the vendor as opposed to the very specific school software that only the schools are going to buy, the vendor is in a much more advantageous position than the school because they sell to a lot of schools. The school is only buying from a handful of vendors. The school, in many cases, can't turn to another vendor either because it doesn't have exactly the features they need or because they've been using the same vendor for years and switching would be very difficult. And so that the relationship there you know, the biggest changes I think we're gonna see in cybersecurity when it comes to the security of software are the result of procurement terms, what the buyer can require from the vendor as a result of the leverage that they have.  And that's just not something that exists in the K-12 at least education environment. I won't speak to the higher ed environment because oftentimes those public university systems have a lot of sway with their vendors because they're huge institutions. But a local school district to say nothing of just a local government in general is going [to] have a much harder time. And so, I think what you're seeing now, I actually was at a conference recently where there was a conversation about ed tech. And there's going to be a push I think to try to include those terms in the contracts where possible and then where it isn't possible to explicitly have stronger cybersecurity language to try to litigate after a breach on the basis of existing statutes to try to get the vendors to do better about cybersecurity so that they don't expose themselves to that kind of liability with other customers going forward.  So that that liability and kind of vendor expectations and procurement ecosystem, I think that's an interesting space to watch if you're interested in ed tech cybersecurity over the next few years. How does that evolve? How do the districts get more out of the software they're buying, even though they don't have the power to tell the vendors exactly what to do?  DR's Arielle Waldman: Yeah. I don't know how motivated the vendors are to kind of include strong security if there's not that many choices for the schools or like you said, they've been using one vendor for a while, they don't have a lot of resources to switch. So yeah, maybe they'll be more motivated to do so if that's kind of built in there.  TTSS's Sharon Shea: And I think that's also why you'll see, you know, as we saw with Instructure, one vendor gets hit and it had, you know, 9,000 schools. So, it'll be interesting to see.  DR’s Arielle Waldman: Another threat that I've been kind of covering are ghost students. So, this is just another issue that schools are dealing with. Basically, these are fake students. They could be bots or anything like that. And these threat actors kind of take up resources because they apply for financial aid and other things. And they kind of take it away from the real students. So they're kind of fake applicants. They can use they use celebrity names sometimes or stolen identities.  And then in that way they secure admissions or financial aid. And it's really straining resources in higher education institutions. Basically, the individual goes through the application process, but they're not actually going to attend. They could be scammers or bots. And why in one case, a fake student stole more than $10 million in federal finances from California community colleges in just one year. So, it's definitely racking up there and taking even more resources away. Since the attackers know that schools are really under resourced and understaffed and they're just continuing to take advantage of that.  TTSS's Sharon Shea: That's an interesting point. Have you seen, you know, how schools are combating this with the limited resources?  DR's Arielle Waldman: Yeah, it's really it's getting tough. I don't think they are managing to get through some of them. I think maybe awareness is like kind of where it's starting right now and just looking out for these threats and knowing that it's happening. I think the growing awareness is kind of the first step so that the understaffed teams can know what to look for in those situations. Because before I think it was lesser known and it was hard to kind of pick that out amongst all the threats that they're facing. So, the awareness I think is helpful there. TTSS's Sharon Shea: Absolutely.  DR's Arielle Waldman: And obviously ransomware continues to be a huge issue. I feel like ever since COVID, it just picked up against the schools and it just has not slowed down. I don't know if that's ever gonna kind of slow down. It seems schools just really can't handle ransomware with the downtime, and you know, all the sensitive data. So, they just keep continue to make, you know, do those attacks and schools continue to fall victim and  there's so many different avenues now with all using some of the tools at home, like the parents, you know, the kids bring these things home and the parents have different logins, the teachers, the students, there's just so many different kind of attack vectors there now, which makes it so much more difficult. Even the parents have to look out for these phishing emails or, you know, keep on top of that as well. It's not just the educators and students.  TTSS's Sharon Shea: Yeah, I think phishing, identity security, MFA, phishing-resistant authentication will, you know, across all industries is an issue, but in ed tech as well.  Well, I think we've had some interesting insights here today. I want to thank everyone for joining us. With TechTarget SearchSecurity, I am Sharon Shea.  CD's Eric Geller: And from Cybersecurity Dive, I'm Eric Geller.  DR's Arielle Waldman: From Dark Reading, I'm Arielle Waldman. Thank you.  Don't miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, "dirty" VCs, and shelfware — industry expert Robert "RSnake" Hansen explains why he thinks it's time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Listen now! About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.     She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK He Thought He Was Secure; His Phone Number Was Stolen Anyway JUN 22, 2026 CYBER RISK Most CISOs Report Pressure to Bury Bad Security News JUN 15, 2026 CYBER RISK AI Risk Worries Insurers & Businesses Alike JUN 10, 2026 ENDPOINT SECURITY The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life JUN 9, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS