The Canvas Hack Isn’t an Accident. It’s a Symptom.

14

Schools are still wide open.

A fresh attack on Canvas proves it. Instructure, the company powering the learning management system used by thirty million students, got breached late last week. Not the paid accounts. The hackers targeted the “free for teachers” tier. That specific choice matters. It shows attackers know exactly where the defenses are thinnest.

ShinyHunters claim they stole 275 million records. From 9,000 institutions globally.

The response? Typical. Instructure announced a deal. They say they bought the data back. Received “digital confirmation” it was deleted. Got promises that no schools would be extorted.

Silence on what they paid.

Just a webinar scheduled for Wednesday.

It is the second breach this year. Emails, usernames, course names. The stuff that ruins identities. It all hit while kids were taking finals. Chaos is good cover for theft. Canvas was back online by Saturday. But at least a dozen school districts across six states are still cleaning up the mess. ShinyHunters had even set a deadline for those districts to negotiate separately.

Why education? Because it is easy.

Experts call the sector “target rich, resource poor.” We have terabytes of sensitive data. We have budgets for cafeteria snacks but not for security engineers. And since the pandemic forced every teacher onto a computer, we left the doors unlocked. Now we are angry. But anger doesn’t stop ransomware.

It gets worse. AI makes the hackers smarter. We haven’t really adapted.

“82 percent of K-12 reported an incident in 2024. Over 9,300 cases confirmed.”

The numbers are boring until you think about the contents of your own inbox. Or your child’s records.

We have been here before. Just with different names.

  • 2018: The EU passed GDPR. America shrugged. We lacked national consensus on who owns student data.
  • 2022: Illuminate Education got hit. Then Los Angeles Unified. Hackers dumped 500 gigabytes of student files on the dark web because LAUSD refused to pay. They called the schools “honey pots.” They were right.
  • 2025: Federal support vanished. Cuts hit coordinated defense teams. Districts started operating in the dark. No guidance. No help.

Reporter Ellen Ullman looked into it. Her findings for EdSurge were bleak. Schools are weak on the basics. Small schools are particularly tempting. Why fight a fortified fortress when you can steal from an open garage? The first line of defense isn’t software. It’s humans. And humans get tired. They click the wrong links.

So we rely on audits.

Certifications. Checklists. Douglas Levin, who runs K12 Security Exchange, called it “compliance theater.” He wasn’t wrong. Paper shields don’t stop bullets. They just give you a legal defense when everything goes wrong.

Schools are being told to “educate staff.” To “seek outside help.” Easy to say. Hard to do when your IT guy is also the person who fixes the printer in the gym.

The pressure is mounting. The attacks are getting smarter. We keep waiting for the vendor to save us.

They won’t.

Попередня статтяThe Math Gap Is Back
Наступна статтяThe Gavel Stays in Human Hands