The Cybercriminal Threat to Higher Education
In a recent cyberattack, the notorious hacking group ShinyHunters breached the security of Instructure, a prominent education technology platform, compromising the personal data of millions of users. The group claimed its attack touched 9,000 schools worldwide and swept up the personally identifiable information of 275 million students, teachers, and staff. It obtained identifying information such as names, email addresses, student identification numbers, and messages exchanged by Instructure users.
Educational platforms are vulnerable to cybercriminal attacks because they hold large amounts of personal and financial data. Instructure owns Canvas, the most popular learning management system, which more than two fifths of institutions use.
In the past, ShinyHunters has targeted high-profile universities such as the University of Pennsylvania, Princeton University, and Harvard University. However, hacking Instructure reflects a strategy of attacking third-party vendors instead of individual institutions. By moving up the data supply chain, hackers can target thousands of institutions simultaneously.
While there is no evidence that government identification or financial information was leaked in the Instructure hack, the breach is still dangerous because phishers can now reference student information that can be used to increase the effectiveness of phishing attacks.
Even organizations with strong security measures can be exposed. The breach highlights the risks of requiring organizations to collect and store large amounts of sensitive personal data. Legislation mandating age verification or other forms of data collection should be rejected, as it would make Americans more vulnerable to cyberattacks and put their personal information at risk.
Published on May 27, 2026