The recent cyberattack targeting Canvas, the learning management system used by thousands of schools and universities worldwide, is another stark reminder that the education sector is one of the most attractive targets for cybercriminals. The attack, linked to the ShinyHunters extortion group, reportedly affected institutions across multiple countries and exposed potentially vast amounts of student and staff data.

For many educational organisations, the disruption went far beyond inconvenience. Classes were interrupted, portals became inaccessible, exams were delayed and institutions were forced into crisis response mode during critical academic periods. Some reports suggest attackers claimed access to hundreds of millions of records tied to students, educators and staff worldwide as well as enrolment details, and private messages allegedly accessed through Canvas export features and APIs. 

This incident highlights a reality that many in the cybersecurity sector have known for a long time. Schools, colleges and universities are operating in an increasingly hostile digital environment while often lacking the resources, visibility and security maturity needed to defend themselves effectively.

Why the education sector is under pressure

Educational institutions face a uniquely difficult cybersecurity challenge.

Unlike many commercial organisations, universities and schools are designed around openness and accessibility. Thousands of students, lecturers, contractors and external partners require access to systems and data every day. Users connect from personal devices, remote locations and unmanaged networks. Research collaboration frequently involves third parties and cloud platforms.

This is why zero trust security is becoming increasingly important across the education sector.

Richard Ford Integrity360 CTO says; ‘Outside of budget constraints, the education ecosystems main challenge is access. Access for students, teachers and 3rd parties, with the majority using unmanaged devices. This is where zero trust excels and should be a priority to ensure the principle of least privilege is implemented, and identities and access is secured.’

For schools and universities, this approach can significantly reduce the risk posed by compromised credentials, unmanaged devices and third-party access. Strong identity verification, least-privilege access controls, continuous monitoring and segmentation all help limit how far attackers can move if an account becomes compromised.

At the same time, institutions store enormous volumes of highly valuable information. Student records, financial details, research data, intellectual property, examination materials and sensitive communications all present attractive opportunities for attackers.

The Canvas incident demonstrates how a compromise at a third-party technology provider can rapidly cascade across thousands of institutions simultaneously.

This supply chain dependency is becoming one of the sector’s greatest risks.

Many educational organisations rely heavily on cloud-based learning platforms, collaboration tools and externally managed applications. While these technologies provide flexibility and scalability, they also expand the attack surface dramatically.

How the Canvas cyberattack happened

Instructure, the company behind the Canvas learning platform, confirmed a cybersecurity incident in early May after attackers linked to the ShinyHunters group gained unauthorised access to user data. The breach reportedly exposed names, email addresses, student ID numbers and user messages tied to schools and universities worldwide.

Several days later, the incident escalated when Canvas login pages for hundreds of educational institutions were reportedly defaced with ransom messages from ShinyHunters. Students and staff attempting to log in were redirected to messages threatening the release of stolen data unless negotiations took place before a set deadline.

“A repeat compromise, days apart, underlines two important things we need to pay attention to in cybersecurity. Firstly, persistence is pervasive and attackers can remain in an environment after containment. It’s critically important monitoring is in place post-breach to ensure containment & eradication was successful. Secondly, and if this was an entirely fresh breach, it shows how persistent attackers can be to ensure they get their pay day.” says Richard.

While some early reports speculated that fake login portals may have been involved, current confirmed reporting points more towards attackers exploiting vulnerabilities connected to Instructure’s “Free-For-Teacher” environment and then modifying login pages as part of the extortion campaign.

The attack caused major disruption during critical exam periods, preventing access to coursework, assignments and communication systems across thousands of institutions globally. The incident highlights how heavily the education sector now depends on cloud platforms and how a compromise affecting one major provider can rapidly impact schools and universities worldwide.

The challenges schools and universities face

Limited cybersecurity resources

Many schools and universities simply cannot compete with the private sector when it comes to cybersecurity budgets and talent acquisition.

Security teams are often small, overstretched and tasked with protecting increasingly complex environments with limited funding. This can lead to delayed patching, inconsistent monitoring and gaps in incident response readiness.

Attackers know this.

Education remains one of the most targeted sectors globally because threat actors often view institutions as softer targets with valuable data and weaker defensive capabilities.

Highly distributed environments

Modern education environments are decentralised by nature.

Institutions may have multiple campuses, remote learners, hybrid teaching models, cloud applications and thousands of unmanaged endpoints connecting daily. Visibility becomes difficult, particularly when legacy infrastructure and modern cloud services coexist.

This creates opportunities for attackers to exploit weak authentication controls, compromised credentials or poorly secured integrations.

Heavy reliance on third-party platforms

The Canvas attack reinforces the risks associated with third-party providers.

Even institutions with strong internal controls can be exposed if a trusted external platform suffers a breach. Learning management systems, communication platforms, research portals and administrative systems all represent potential attack vectors.

Educational organisations must now think beyond securing only their own infrastructure. They also need visibility into supplier risk and third-party exposure.

Phishing and identity attacks

Students and staff remain prime targets for phishing campaigns and social engineering attacks.

Academic calendars create predictable attack windows. Enrolment periods, examination seasons and financial aid deadlines all provide opportunities for attackers to impersonate trusted systems or exploit urgency.

Where large numbers of inexperienced or transient users exist, attackers often see an easy path into institutional environments.

Operational disruption

Cyberattacks in education are no longer just about data theft. Disruption itself has become a weapon.

If online learning systems fail, institutions can struggle to deliver teaching, process coursework or communicate effectively with students. In some cases, entire academic operations can grind to a halt.

The reputational damage can also be severe, particularly where student trust and safeguarding responsibilities are involved.

The growing need for proactive cybersecurity

The traditional reactive approach to cybersecurity is no longer enough for the education sector.

Waiting until an incident occurs before investing in visibility, detection and response creates unnecessary risk. Educational institutions need proactive cybersecurity strategies capable of identifying suspicious activity before disruption escalates.

This includes:

• Continuous monitoring of networks, cloud environments and identities
• Faster detection and response capabilities
• Stronger identity and access management
• Security awareness training for staff and students
• Incident response planning and testing
• Third-party risk management
• Vulnerability management and penetration testing
• Security controls aligned to evolving compliance requirements
• Incident Response and forensic investigations
• Penetration testing and security assessments
• Identity and access management
• Cloud and email security
• Security awareness training
• Governance, risk and compliance services
• Threat intelligence and proactive monitoring

Cyber resilience in education is now about maintaining operational continuity as much as protecting data.

How Integrity360 can help

Educational organisations require cybersecurity partners that understand the complexity of the sector and can provide practical, scalable support.

Integrity360 works with organisations across education and the wider public sector to help strengthen cyber resilience, improve visibility and reduce operational risk and helps institutions detect and respond to threats quickly before they become major incidents.

Services that can support schools, colleges and universities include:

Integrity360 is also assured under the NCSC Cyber Incident Response scheme, providing additional confidence for organisations seeking experienced incident response support during a crisis.

The Canvas cyberattack is unlikely to be the last major incident affecting the education sector. As institutions continue expanding their digital ecosystems, attackers will continue searching for weaknesses to exploit.

Educational organisations cannot eliminate risk entirely, but they can dramatically improve their resilience, visibility and ability to respond.

Concerned about your cybersecurity? Get in touch with the experts at Integrity360.