Ransomware Hackers Crash Finals Season

In the middle of final exams, ransomware hackers hijacked global education platform Instructure, the company behind Canvas. The attack denied service to millions of users and enabled hackers to access personal data associated with students.

The hack is the latest in a pattern of ransomware attacks against companies that provide essential services to American K-12 and higher education — and federal efforts to address these patterns have lapsed.

Canvas Breached

Hackers known as ShinyHunters breached Instructure in early May, triggering global outages that denied service to millions of active users. Thousands of universities and K-12 institutions rely on Canvas to manage assignment submissions, coursework, grading, and communication between faculty and students. The attack brought Canvas offline, forcing universities to reschedule exams and extend deadlines.

ShinyHunters claims to have accessed 275 million records, including names, email addresses, student ID numbers, and messages from thousands of schools globally. The hackers had initially gained access to Instructure’s system, warning that they would execute a ransomware attack. In response, Instructure issued initial “security patches.” Unfortunately, the company failed to secure its system from the group’s second breach, in which the group threatened to leak the data if a ransom was not paid. ShinyHunters has been involved in past high-profile hacks and functions as a cybercrime organization without formal nation-state backing.  

Instructure announced in a May 11 press release that it struck a deal with the hackers to return the data, including digital confirmation of data destruction. But according to the company, “there is never complete certainty when dealing with cybercriminals,” and not all ransomware victims can reach the same agreements.

Opportunistic Hackers, Vulnerable Targets

Groups like ShinyHunters are known to exaggerate the scope of their breaches as leverage for maximum ransom payouts. But the underlying dangers of data exposure are real, and the consequences extend well beyond disrupted final exams.

Education technology (EdTech) hacks routinely yield more than just names and email addresses. The PowerSchool breach in December 2024 exposed the personal data of nearly 60 million students, including Social Security numbers, medical information, home addresses, and birth dates — and minors are especially vulnerable to identity theft. Without a need to monitor credit, fraud can go undetected for years, surfacing only when a victim applies for a first apartment or student loan.

A Critical Opportunity To Refocus on Education Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) has identified K-12 schools as a “target rich, cyber poor” environment. To address this vulnerability, the Trump administration can revive the K-12 Cybersecurity Government Coordinating Council — a federal body launched in 2024 to formalize federal, state, and local collaboration on cyber defense — which was suspended in spring 2025. The administration can also direct CISA to engage educational institutions, focusing on EdTech vendors as a growing attack vector. CISA can work with schools and vendors to establish minimum security standards as a condition of contracting, conduct vulnerability assessments, and facilitate real-time threat information sharing that warns of system hardening before an institution falls victim to a ransomware attack.

Second, although money cannot solve the entire problem, K-12 schools need funding for cybersecurity resources and technical assistance to determine when and where it is appropriate or necessary to provide sensitive data to third-party vendors. Educational institutions do not control the cybersecurity posture of the platforms and services they use, but with assistance, they can institute stringent cybersecurity protocols for their own data as well as learn what vendors do to protect student data in cyberspace.

Third-party vendors often fail to comply with their legal requirement to report breaches of student data to the affected school district. As written, the Family Educational Rights and Privacy Act, which protects the privacy of student records, does not specify a timeline for when vendors must report a cyber incident. There is a clear need to update the statute to address this gap. To ensure that affected students can take remedial action quickly, a 24-hour maximum would be advisable.

Johanna “Jo” Yang is a policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, where she works on issues related to nation-state cyber threats, critical infrastructure protection, and U.S. cybersecurity policy. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jo on X @JohannaYang_. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.