We’ve been seeing a rise in cyberattacks and now the next targets: Schools and universities. These are the new hotspots because they store research data, financial records, student information and extensive login databases.
And it’s a number that really is growing – Quorum Cyber even recorded 425 cyber incidents affecting higher and further education institutions between November 2024 and October 2025. The company recorded 260 incidents during the 12 months before that.
The Quorum Cyber report found data breaches increased by 73%, hacktivist activity increased by 75% and ransomware incidents increased by 21%. Researchers also found phishing caused 34% of ransomware incidents. Credential theft and stolen passwords continued throughout universities because student turnover creates constant account activity and changing user access.
Quorum Cyber reported that attackers target universities involved in advanced research, including AI and quantum computing. The company also found DDoS attacks against UK education institutions increased fivefold during the reporting window.
Jack Alexander, Senior Threat Intelligence Analyst at Quorum Cyber, said, “The education sector is now dealing with a convergence of threats: nation-state actors seeking strategic advantage, hacktivists responding to geopolitical events and cybercriminal groups pursuing financial gain.”
He added, “What stands out in this data is how targeted and coordinated these attacks have become. In many cases, adversaries are exploiting known vulnerabilities, exposed credentials or predictable operational patterns. Universities and schools need to understand which vulnerabilities are actively being exploited, where their credentials may be exposed and how attackers are operating across the sector. The earlier these signals are identified, the greater the opportunity to disrupt attacks before they escalate into major incidents.”
What Does Reliance On Technology Mean For Education?
Modern schools and universities run through digital systems handling lessons, research projects, examinations, attendance records and communication platforms. Online access now supports daily academic operations throughout the education sector.
The UK government’s Cyber Security Breaches Survey 2025 found that 91% of higher education institutions experienced a breach or cyber attack during the previous year. The survey also found that 30% experienced attacks at least once every week.
Ambrose Neville, Head of Information Security at Queen Mary University of London, said, “Universities are increasingly targeted both for the data they hold and the very diverse mixture of workloads and technologies. We’ve observed attacks designed to interrupt teaching, research and day-to-day operations.”
He continued, “The challenge for the sector is that openness and collaboration is fundamental to how higher education institutions operate. This makes it more challenging to simply lock systems away, in the way that some other industries may be able to. As a result, we prioritise security resilience. It’s critical to know where you’re exposed, spot threats early and respond quickly before incidents escalate.”
Cyber security teams managing these systems are also working longer hours. Research from Seemplicity found that 45% of cyber security leaders work 11 or more additional hours each week, while 20% work an additional 16 or more hours weekly.
Rob Babb, Exposure Management Strategist at Seemplicity, said, “Google’s findings suggest we’re moving beyond AI assisted code generation into AI assisted exploit reasoning, where models can identify flawed trust assumptions and navigate complex authentication logic. This has the potential to dramatically lower the barrier to sophisticated exploitation and compress the timeline between vulnerability discovery and active attacks.”
What Happened During The Canvas Cyber Attack?
And then, there’s the massive Canvas incident…
Instructure, the company behind the Canvas learning platform used in schools and universities around the world, confirmed that attackers hacked into part of its environment during a global cyber incident.
Steve Daly, CEO of Instructure, wrote, “This incident involved unauthorised access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised.”
The company also confirmed that attackers exploited a vulnerability connected to support tickets in the Canvas Free for Teacher environment. Instructure temporarily disabled the Free for Teacher service during a security review. Canvas remained operational during the incident.
Daly admitted communication problems during the attack response. He wrote, “Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback.”
The company later announced that it reached an agreement with the unauthorised actor connected to the incident. Instructure said the data had been returned and that the company received “digital confirmation of data destruction (shred logs).” The company also announced, “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
The incident affected schools and universities using Canvas throughout multiple countries and added another example of how education systems now rely on online platforms for teaching, assignments, communication and administration.
With all of this, experts speak more about our reliance on tech….
Our Experts:
- Dipan Mann, Founder And CEO,Cloudskope
- Yoon Auh, Founder of BOLTS Technologies
- Candid Wüest, Senior Security Expert, Advisor And Keynote Speaker, Candid
- Rishi Kaushal, CIO, Entrust
- Muhammad Yahya Patel, vCISO And Cybersecurity Advisor, EMEA, Huntress
- Andrew Southall, Founding Engineer, SkySiege
- Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber
- Arie Brish, St Edwards University
- James Shaffer, Insurance Panda
Dipan Mann, Founder And CEO,Cloudskope
“We’ve come to depend on solutions across ecosystems like education, without analysing out over-dependence on them.
“Companies that choose to frame marketing statements over truth and hide behind compliance reports rather than a committed drive to better cyber defenses are going to lose-every time.
“Contingency plans are critical events for key delivery mechanisms for industries. Education is no exception.“
Yoon Auh, Founder of BOLTS Technologies
“The Canvas breach is a textbook example of the “centralisation trap.” By allowing a single provider to dominate nearly half the North American market, the education sector has created a massive, high-value target for groups like ShinyHunters.
“However, it takes two to tango: the affected institutions, which include the entire Ivy League and the University of California (UC) System, are not entirely blameless. These are the world’s leaders in Computer Science, Cybersecurity, and Cryptography. There is a glaring disconnect when a university’s own research departments lead the world in security theory, yet its administration fails to apply those pragmatic safeguards to its own infrastructure. It reflects poorly on the perceived value and reputation of the education they provide.
“Going forward, SaaS providers like Instructure must stop viewing cybersecurity as a ‘cost center’ to be trimmed for efficiency and start treating it as a Value Protector and Strategic Asset. The legal repercussions and reputational ‘black mark’ now facing the company will surely cost multiples of whatever ‘efficiencies’ were extracted over years of cost-cutting. Ultimately, the tuition paying students shouldn’t be the collateral damage of corporate margin expansion. This is a wake-up call to all educators that a backup plan isn’t just for IT, it’s hard to hack paper and pencil.”
Candid Wüest, Senior Security Expert, Advisor And Keynote Speaker, Candid
“The global cyberattack against the Canvas education platform demonstrated once more our critical reliance on a few key technology services. The attack disrupted hundreds of university exams for hours, highlighting a widespread lack of resilience. Every external dependency an organisation relies on introduces potential risks for data breaches, supply chain infections, and sudden system downtime.
“Disaster recovery is not the same as business continuity, and organisations must include all their SaaS applications in their Business Continuity Management (BCM) planning. This does not just apply to major hyperscalers like AWS, Azure, GCP, and Cloudflare – which have caused massive outages when unavailable – but to industry-specific platforms as well. Anything you can’t surviVe without should be analysed.
“This incident serves as a stark reminder that outsourcing infrastructure does not outsource the underlying risk. While limited resources and a lack of alternatives can make it difficult to guarantee high availability, organisations still need to calculate their risk exposure and establish a solid Plan B. Furthermore, we expect the leaked information from this breach to be abused in the near future to launch context-aware, personalised phishing campaigns.”
More from News
- What Does The King’s Speech Mean For Businesses In The UK?
- Why Do UK MPs Consider NHS’ Data Sharing With Palintir A Danger To UK Health Data?
- The US And China Are Negotiating AI’s Future – Is The Middle East’s Neutral Position Still Tenable?
- Why Are Brands Moving From Traditional To Affiliate Marketing?
- World Password Day 2026, Part 2: How Are Passkeys And Security Shaping Industries?
- Wolverhampton HealthTech Leader Wins Digital Healthcare Award At Medilink Midlands 2026
- Is Uber’s New Data Mining Strategy Exploitative As Drivers Lose Their Jobs To Self-Driving Vehicles?
- Vision 2030 Promised A Tech Economy – Are MENA Founders Actually Benefiting?
Rishi Kaushal, CIO, Entrust
“The Canvas incident is a reminder that organisations can’t assume scale automatically translates into resilience. Trust in major platforms depends on more than uptime – it depends on how well sensitive data is protected, how tightly access to critical systems is controlled, and how confidently organisations can recover without exposing information during an incident.
“What separates resilient platforms from fragile ones is disciplined execution of the fundamentals: strong identity and access controls around crown-jewel systems, consistent encryption practices, and proven recovery processes that preserve both speed and data integrity. As organisations become more dependent on large SaaS and cloud platforms, the expectation is no longer just availability – it’s the ability to recover securely and maintain trust when something goes wrong.”
Muhammad Yahya Patel, vCISO And Cybersecurity Advisor, EMEA, Huntress
“The education sector is uniquely vulnerable when it comes to data breaches, not because of weak technology, but because of who the data belongs to. We’re potentially talking about minors. Children whose personal information, including names, email addresses, and student IDs, could now be in the hands of criminal actors. Unlike a credit card, which can be cancelled, a child’s identity and educational record follow them. The implications for identity theft, targeted social engineering, and even safeguarding are serious and long lasting.
Practical Advice for those who might be affected:
– Change your Canvas password immediately, and if you’ve reused that password anywhere else, change it there too. Credential reuse is one of the primary ways a single breach cascades into multiple account compromises.
– Enable multi-factor authentication (MFA) on your email account, especially if it’s the one linked to Canvas. Email is the master key to most online accounts.
– Be alert to phishing. Attackers who have your name, email, and institution can craft highly convincing messages pretending to be from your school, Canvas, or even a specific teacher.
– If something asks for login details or feels urgent, verify it through an official channel before acting.
– Monitor for identity fraud. For parents, be vigilant, children’s identities are attractive precisely because they often go unchecked for a long time.”
Andrew Southall, Founding Engineer, SkySiege
“Modern technology is too much of a multiplier these days to avoid. Going without it is unthinkable, hence we need to deal with the downsides such as this attack where ShinyHunters are once again sowing chaos.
“Working in cybersecurity and providing technical due diligence for acquisitions we see all sorts of applications in use. The reality is that none of them are 100% reliable and these days even giant services like GitHub are failing basic service standards, not even meeting a 90% uptime.
“Therefore the strategic approach is to minimise the effect when it does happen – this includes reducing blast radius, maximising resiliency and implementing as many failover options as possible. In practical terms for this compromise – ShinyHunters claim that they have “Several billions of private messages among students and teachers…”. If true that’s an incredible amount of data to be storing, data which is likely a set of transient messages not intended for long term reference.
“Additionally, they claim that the Salesforce instance was breached as well. That infers that there’s links or ownership between those systems such that lateral movement was possible. If that’s the case then linking up systems like this is the opposite of minimising the blast radius. If Canvas had these systems directly connected it’s likely they hadn’t ascertained full visibility of what would be compromised should either side go awry.”
Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber
“The education sector is now dealing with a convergence of threats: nation-state actors seeking strategic advantage, hacktivists responding to geopolitical events and cybercriminal groups pursuing financial gain.”
“What stands out in this data is how targeted and coordinated these attacks have become. In many cases, adversaries are exploiting known vulnerabilities, exposed credentials or predictable operational patterns. Universities and schools need to understand which vulnerabilities are actively being exploited, where their credentials may be exposed and how attackers are operating across the sector. The earlier these signals are identified, the greater the opportunity to disrupt attacks before they escalate into major incidents.”
Arie Brish, St Edwards University
Rule #1 in security -there is no 100% guarantee. All you can do is add layers of protection that will improve your resilience, but it will never be 100%.
Rule#2: Always have a Plan B should something goes wrong.
“For cloud environments, companies should think beyond basic security and focus on resiliency architecture. That includes:
• High Availability (HA) and real-time failover systems that keep applications running even if one environment is compromised or fails.
• Multi-cloud redundancy and cross-cloud backup strategies that prevent dependence on a single provider or single point of failure.
• Segmented backups, rapid recovery plans, and continuous monitoring.
“The above redundancies requires additional layers of software integrations and there are IT consultants that can help implementing (for a fee).
“The recent Canvas breach is another reminder that cloud security is no longer just about prevention – it is also about recovery speed, operational continuity, and limiting the blast radius when something eventually goes wrong.”
James Shaffer, Insurance Panda
“The current state of technology has turned a school’s student data into a digital house of cards. As demonstrated by the “Canvas” cyber-attack, while efficiency may be used as a synonym for reducing failures, the ultimate result will still be a single point of failure. Schools replaced their paper records and local backup systems with the ease of using a single sign-on for the cloud. Thousands of students now pay the cost for that lack of effort. This represents a common example of poor risk management practices. In the past, we treated our platforms as utilities, without taking the necessary measures to ensure they had redundant components.
“This describes the nature of the current web. We’ve become addicted to centralised solutions. At Insurance Panda, I witness companies making the same mistake over and over again. They consolidate resources into one bucket simply because it’s less expensive. However, once the bucket becomes compromised, there’s nothing left within it. The solution to the problems in education is not more software; it’s a return to offline means of building resilience. If your ability to administer a test depends on a stable Internet connection, then you do not possess a system; you own a liability.
“Do not pretend to be shocked. Using a cloud-based model is inherently speculative. All institutions require a “black-out” plan that does not include waiting for a spinning wheel. If you cannot operate during times of technological failure, then you are not providing leadership.”
