Third-Party Breaches Teach Education Sector a Costly Lesson in Vendor Risk

CYBER RISK CYBERSECURITY OPERATIONS ENDPOINT SECURITY СLOUD SECURITY Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Third-Party Breaches Teach Education Sector a Costly Lesson in Vendor Risk Rising threats from third-party actors are forcing institutions to play defense to protect student data from ransomware and other attacks. Bree Fowler,Contributing Writer June 27, 2026 6 Min Read SOURCE: ALEKSEI GORODENKOV VIA ALAMY STOCK PHOTO Cybercriminals have long viewed the education sector, with its mix of legacy technology and new applications, uneven IT resources, and large amounts of data, as an easy and enticing target.  From the smallest rural K-12 districts to the world's most prestigious universities, IT professionals in education are focused on getting and keeping students and staff online, rather than protecting the systems their devices run on. Many have slim security budgets and are chronically understaffed. And the vast amounts of operational and personal data they hold could be ransomed or sold for use in future cybercrimes.  According to Verizon Business's 2026 Data Breach Investigations Report, there were 1,252 data breaches involving the education sector last year. More than half of those breaches involved malware, and 65% of those attacks involved ransomware.  Third-party compromises pose an increasing threat, as breaches of a single application can affect every institution that relies on it. What's worse is that often there's little, if anything, schools can do to protect themselves from the fallout. Related:He Thought He Was Secure; His Phone Number Was Stolen Anyway "Higher education, K-12, they're trying to keep the wheels on, and they're doing their absolute best even when so much of it’s out of their control," KnowBe4 CISO Advisor Erich Kron tells Dark Reading. "But in a lot of cases, the main organization that's beat up over a breach isn't the one who was at fault." Third-Party Attacks Affecting the Education Sector According to the DBIR, the primary vector of infection is via Web applications, which accounted for 71% of breaches in the education sector. More than 100 organizations were breached in late summer of 2025 after a ransomware gang exploited a zero-day vulnerability in Oracle's E-Business Suite. "A heavy concentration of those victims" were educational institutions, the report's authors noted. There are other high-profile examples. Back in May, a pair of cyberattacks forced Instructure to take its learning management system, Canvas, offline, causing havoc for thousands of high schools and universities. Many of them were in the middle of administering final examinations and wrapping up the school year. The group claiming responsibility negotiated an arrangement with Instructure (most likely involving a ransom payment), promising not to further extort individual schools over this incident. Canvas has more than 30 million active users globally, with more than 8,000 institutions as customers, according to Instructure.  Instructure CEO Steve Daly said in a statement at the time that the attacks make it clear that platforms like Canvas are critical infrastructure and should be protected as such.  Related:Most CISOs Report Pressure to Bury Bad Security News And back in 2023, attackers exploited a vulnerability in the managed file transfer application MOVEit in a massive breach affecting over 2,700 organizations. National Student Clearinghouse was among the affected organizations, impacting 900 universities, as well as the New York City public school system, and the Minnesota Department of Education.  "The threats facing academic institutions and education technology providers aren't going away," Instructure's Daly said in the statement. "No single platform can build a resilient ecosystem alone, but I believe we can as a community." Managing Third-Party Risk, Education Edition It's the broad reach of third-party software-as-a-service applications like Canvas that make them so appealing for attackers, says Adam Marrè, CISO at Arctic Wolf. One successful attack can affect thousands of institutions, giving cybercriminals significant leverage in making ransom demands. In the case of Canvas, "I think the timing was not coincidental, that they looked at the end of the school year as when they would have maximum leverage on these institutions," says Marrè. It's similar to why cybercriminals target hospitals and others in the healthcare space. Schools and hospitals can't afford to be shut down and are highly motivated to pay. Related:AI Risk Worries Insurers & Businesses Alike From an ethical standpoint, nothing is off-limits anymore.  In some ways, educational institutions aren't any different than the world's biggest corporations. They all deal with the challenge of managing third-party risk, including keeping track of exactly what private and personal information their SaaS platforms have access to. The specific data security and privacy measures being taken by those SaaS companies often remain a mystery to the schools paying to use them. Even so, it's much tougher for a school district or a university to handle on a limited IT budget.  Marrè says there are still things schools can and should do, starting with having a good third-party risk management program. Vendors should be contractually accountable for duties such as breach notifications, audit rights, evidence of segmentation between tenants, and proof of incident-response maturity. Educational institutions should also control the identity layer of security themselves, implementing a strong single sign-on (SSO) solution backed by multi-factor authentication (MFA). By handling this themselves, schools can protect access to their own systems even if there is a breach at one of their third-party providers. And like companies, schools need a vulnerability management and patching program, along with the ability to detect and respond to online threats against their own systems.  Artificial intelligence could lower the cost of detection and response tools, bringing these capabilities to educational institutions that couldn't previously afford them. "It's starting to happen and starting to really make a difference," Marrè says. "You're going to see more of this in the coming years as we make AI use even more effective in security." But above all else, educational institutions need a resiliency plan that allows them to keep operating if something bad happens. "You can't put the genie back in the bottle,” Marrè says. "You can't prevent that information from getting out. The attackers have it, but what you can do is make sure your institution can still run if you have a good business-continuity plan that will allow you to be able to exist without it." Increased Regulation Can Help Ease the Burden    While schools can take legal action against negligent companies that expose their data, that won't change the fact that the data has been exposed, KnowBe4's Kron says. The United States does not have a comprehensive federal privacy law like the European Union's General Data Protection Regulation; instead, it relies on a patchwork of state legislation. While Marrè agrees that a federal privacy law is sorely needed in the U.S., he's not sure it would be enough to protect data in these types of incidents, noting that there are federal regulations governing software companies that handle healthcare data, yet those companies still get breached. Federal law enforcement investigates these kinds of crimes and sometimes secures indictments, which can have a deterrent effect. Both Kron and Marrè emphasize the need for increased governmental cybersecurity funding for educational institutions.  "We fall down a lot on the federal requirements," Kron says. "And I think I would like to see those around the education system a little bit more, where everybody has a standard that they follow, that's funded somehow so they can, because that's the key." About the Author Bree Fowler Contributing Writer Bree Fowler writes about cybersecurity and digital privacy. Previously, she was a senior writer for CNET. Prior to joining CNET, she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, three-star world marathoner, and champion baker of over-the-top birthday cakes and all things sourdough. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge APPLICATION SECURITY New Initiative Tackles Security for End-of-Life Open Source Software JUN 26, 2026 CYBERATTACKS & DATA BREACHES EdTech Attackers Shift From Schools to Their Software Suppliers JUN 25, 2026 CYBER RISK He Thought He Was Secure; His Phone Number Was Stolen Anyway JUN 22, 2026 CYBER RISK Most CISOs Report Pressure to Bury Bad Security News JUN 15, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS