The ShinyHunters breach didn’t just take down a learning platform. It exposed the catastrophic privacy debt that edtech has been building for years — and the students paying the price.
On a Thursday that will be remembered in school IT departments for years, thousands of colleges, universities, and K-12 institutions across the United States lost access to Canvas — the learning management system used by more schools than any other platform in the country. The culprit: a breach carried out by ShinyHunters, the prolific hacking collective responsible for some of the largest data theft operations of the past decade. The response from Canvas’s parent company, Instructure: shut the platform down entirely while they assessed the damage.
For students in the middle of coursework, for teachers mid-lesson, for administrators managing enrollment and grades — the blackout was immediate and total. No workaround. No backup. Just gone.
Higher education has always been a target-rich environment for ransomware gangs and data extortion operations. But the Canvas breach represents something new in scale and character: a single attack against a single vendor that simultaneously paralyzed thousands of institutions. It is the logical endpoint of a decade of edtech consolidation — and a preview of what happens when an entire sector’s critical infrastructure runs through one set of servers.
WHO IS SHINY HUNTERS AND WHY SHOULD SCHOOLS BE AFRAID
ShinyHunters is not a new name in cybersecurity circles. The group first gained notoriety around 2020 with a series of large-scale database thefts targeting companies including Tokopedia, Wishbone, and Microsoft’s private GitHub repositories. Over the following years, the collective — believed to operate across multiple countries — became associated with some of the most damaging data breach operations of the era.
Their method is consistent: gain access to a target’s databases, exfiltrate as much data as possible, and then either sell the data on dark web marketplaces, threaten to release it publicly, or both. Unlike traditional ransomware operators who encrypt files and demand payment for decryption keys, ShinyHunters specializes in data extortion — the threat is exposure, not lockout.
In 2024, ShinyHunters claimed responsibility for the Snowflake customer breach campaign, which ultimately affected Ticketmaster, Santander Bank, Advance Auto Parts, and dozens of other companies. The attack vector — compromised credentials to a cloud data platform shared by multiple enterprise customers — bears uncomfortable similarities to the Canvas breach model.
What makes the Canvas situation uniquely alarming is the nature of the data that sits inside a learning management system. Canvas doesn’t just hold course materials. It holds student records, assignment submissions, private messages between students and faculty, grade data, disability accommodation information, mental health disclosures, and — at institutions that integrate single sign-on systems — credentials that can unlock far broader access to university networks.
In the hands of ShinyHunters, that data is not a trophy. It is inventory.
THE EDTECH PRIVACY CRISIS: A BREACH TIMELINE
The Canvas hack did not emerge from nowhere. It is the most disruptive incident in a long and worsening pattern of data security failures in educational technology. The sector has been hemorrhaging student data for years.
POWERSCHOOL (2025): In what became one of the most significant K-12 data breaches in U.S. history, PowerSchool — whose student information system is used by over 60 million students in North America — suffered a breach affecting school districts across dozens of states. Attackers gained access through a compromised credential, exfiltrating sensitive records including student names, addresses, Social Security numbers, medical alert information, and academic histories. In many cases, schools were not notified for weeks. The PowerSchool breach laid bare the catastrophic exposure that comes when a single vendor holds the records of tens of millions of minors.
ILLUMINATE EDUCATION (2022): Illuminate Education, which provides assessment and attendance tracking software to thousands of K-12 schools, suffered a breach that exposed the records of approximately 820,000 students in New York City alone. The incident triggered investigations by the New York City Department of Education and raised questions about whether schools had adequately vetted Illuminate’s security practices before entrusting it with student data. The breach affected some of the most vulnerable student populations, including children with individualized education programs (IEPs) and English language learners.
PEARSON (2019): Education giant Pearson disclosed a breach affecting the data of millions of students stored in its AIMSweb platform, used by school districts for student performance tracking. The company was later criticized by the SEC for its public disclosures around the breach, ultimately paying a $1 million fine for misleading investors about the incident’s scope and the state of its cybersecurity practices.
CHEGG (2018 & 2020): Online learning platform Chegg has suffered multiple data breaches affecting tens of millions of users. In 2018, the records of approximately 40 million users were exposed. In 2020, the company was breached again. The FTC ultimately took action against Chegg in 2022, citing the company’s “careless” data security practices and requiring it to implement a comprehensive security program and offer multi-factor authentication to users.
CAPITOLVANTAGE / COLLEGE BOARD ADJACENT INCIDENTS: Multiple incidents over the years have affected vendors adjacent to college admissions and standardized testing infrastructure, with student financial and academic data exposed through third-party breaches that students had no knowledge of and no way to prevent.
The pattern is consistent across all of these incidents: students and parents are not informed promptly, the data exposed is deeply sensitive, the affected vendors had inadequate security programs relative to the sensitivity of the data they held, and the regulatory consequences have historically been minimal.
THE FERPA PROBLEM
Every school that uses Canvas, PowerSchool, Illuminate, or any other third-party edtech vendor is subject to the Family Educational Rights and Privacy Act — FERPA — the federal law governing student education records. FERPA requires schools to protect the confidentiality of student records and governs under what circumstances that data can be shared with third parties.
Here is the critical flaw: FERPA’s third-party vendor framework was designed for a world where schools contracted with a handful of software providers. It was not designed for an ecosystem in which a single university might share student data with dozens or hundreds of edtech platforms, learning apps, proctoring services, and analytics providers — each of which may in turn share that data with their own subcontractors.
FERPA’s “school official” exception allows schools to share student data with vendors without obtaining parental or student consent, provided those vendors are under direct control of the school and use the data only for educational purposes. In practice, this exception has been stretched to cover a vast commercial edtech ecosystem in which student data flows through multiple corporate hands with limited oversight, weak contractual controls, and inconsistent security standards.
The Department of Education has issued guidance on FERPA and data security, but enforcement has been historically rare and the penalties modest. For most edtech vendors, the practical compliance burden under FERPA is low — which is precisely why data security standards across the sector remain inconsistent.
EDTECH AND THE CONSENT DEFICIT
Beneath the security failures lies a deeper structural problem: most edtech platforms were built with almost no meaningful consent framework for student data. Users of Canvas, of PowerSchool, of Chegg, of Pearson’s platforms did not affirmatively consent to having their data collected, retained, processed for analytics, or shared with third parties. In many cases they had no realistic choice — participation in the platform was a requirement of enrollment.
This consent deficit matters for several reasons. First, it means students have had no visibility into what data is held about them, who has access to it, or how it is used. Second, it means that when a breach occurs, the affected individuals often don’t know the full scope of what was exposed. Third, it means that the data security obligation — the duty to protect data that was collected without meaningful consent — rests entirely with institutions and vendors that have, as the breach record shows, not always taken it seriously.
The Student Privacy Pledge, a voluntary framework signed by hundreds of edtech companies, commits signatories to not sell student data and to maintain reasonable security practices. But voluntary frameworks are not law, and the breach record among pledge signatories demonstrates the limits of self-regulation.
Several U.S. states have moved to fill the gap. The Student Online Personal Information Protection Act (SOPIPA) in California, New York’s Education Law 2-d, and similar statutes in other states impose binding requirements on edtech vendors around data use and security. But coverage is uneven, enforcement is inconsistent, and none of these laws have yet produced the kind of sector-wide accountability that the pattern of breaches demands.
THE RANSOMWARE ECONOMY AND EDUCATION
Education is the single most targeted sector for ransomware attacks in the United States, according to multiple annual threat reports from cybersecurity firms including Emsisoft, Recorded Future, and Sophos. In 2023, the K-12 education sector reported more ransomware incidents than any other industry. In 2024, the pace accelerated.
The reasons are structural. Schools and universities typically operate on limited IT budgets relative to the size and sensitivity of their data footprints. Legacy systems are common. Staff turnover is high, creating persistent credential management challenges. And the operational pressure to restore access — because every day of downtime means disrupted education for students — creates strong incentive to pay ransoms quickly, making education a reliably profitable target.
The Canvas breach adds a new dimension to this threat model. Previous ransomware incidents typically affected individual school districts or individual university IT environments. The ShinyHunters attack on Instructure created a single point of failure that took down thousands of institutions simultaneously. As edtech consolidation continues — as more schools migrate to a smaller number of dominant platforms — the blast radius of any single successful breach grows correspondingly larger.
Cybersecurity researchers have a name for this dynamic: supply chain concentration risk. And the Canvas incident is its clearest demonstration yet in the education sector.
WHAT SCHOOLS AND INSTITUTIONS MUST DO NOW
The Canvas breach is not primarily a story about ShinyHunters. It is a story about institutional choices — years of choices — about data governance, vendor oversight, security requirements, and the consent frameworks that give students visibility and control over their own information.
For schools and universities evaluating their current posture, the immediate priorities are clear:
Vendor security auditing is non-negotiable. Every third-party edtech vendor with access to student data should be subject to formal security assessments, not merely contractual representations. Schools should be asking for SOC 2 reports, penetration test results, and incident response plans — and should not be accepting vendor assurances at face value.
Data minimization must become standard practice. The richness of the data held by Canvas, PowerSchool, and their peers reflects years of feature expansion without corresponding data governance discipline. Schools should work with vendors to identify what student data is actually necessary, and delete or restrict access to what is not.
Consent frameworks need modernization. Schools operating under FERPA’s school official exception should review whether their contracts with edtech vendors actually meet the statute’s requirements for control and data use limitations. Where state laws impose additional requirements, compliance should be verified, not assumed.
Incident response planning can no longer be theoretical. Every institution should have a tested, documented plan for what happens when a critical edtech vendor goes offline — whether due to a breach, a ransomware attack, or any other disruption. The Canvas blackout demonstrated what happens when that planning hasn’t been done.
Student notification protocols need to be faster and more transparent. In both the PowerSchool breach and the Illuminate incident, affected students and families waited weeks for notification. That is legally problematic and ethically indefensible when the data at risk includes records of minors.
For a practical guide to building a compliant data governance and consent management framework for educational institutions, Captain Compliance’s resource library covers the specific obligations and best practices relevant to the edtech context.
THE LARGER PICTURE: KOCHAVA, CANVAS, AND THE CONSENT ECONOMY
It is not a coincidence that the two most significant privacy and security stories of this period — the FTC’s landmark settlement with location data broker Kochava and the Canvas breach — share the same fundamental problem: data collected at scale, retained without meaningful consent frameworks, and eventually exposed or exploited in ways that cause real harm to real people.
In the Kochava case, the FTC’s entire argument rested on the absence of affirmative consent. The data broker had collected precise location data from hundreds of millions of devices without consumers’ knowledge and sold it to buyers who could use it to track movements to sensitive locations. The settlement’s core remedy was consent: you cannot sell sensitive location data without it.
The Canvas breach reveals what happens when consent frameworks are absent in an entirely different context — not commercial data brokers, but the educational infrastructure that American students have no realistic choice but to use. The harm is different in character but similar in origin: data collected at scale, held by a single concentrated vendor, with no meaningful visibility or control for the individuals whose information is at stake.
The connection is more than thematic. As the FTC, state attorneys general, and Congress continue to develop the regulatory framework for data privacy in America, the edtech sector’s breach record will be cited alongside the location data industry’s practices as evidence of what happens when consent is an afterthought rather than a foundation.
For schools, vendors, and anyone operating in the edtech ecosystem: the moment to build that foundation is before the next breach, not after. Captain Compliance works with educational institutions and technology providers to design and implement consent management and data governance frameworks that meet the requirements of FERPA, applicable state laws, and the emerging federal privacy landscape.
Learn more about Captain Compliance’s approach to educational data privacy and consent management. Book a demo below to learn more.
