What this attack reveals about higher education’s cybersecurity
What this attack reveals about higher education’s cybersecurity
Publish Date: 2026-05-12 08:15:00
Source Domain: universitybusiness.com
Using an unordered list, summarize the following article with between 4 and 8 key points. A cyberattack last week that exposed the personal data of millions of users has reignited concerns about how colleges share information with third-party vendors.
Instructure, the edtech company behind the widely used learning management system Canvas, disclosed a breach in late April.
While experts moved to contain the incident, Harvard, Columbia and thousands of other U.S. institutions reported receiving an unauthorized message through Canvas the following week. The message demanded that Instructure pay a ransom; if the company refused, hackers threatened to release roughly 3.5TB of user data from more than 8,800 institutions, ITPro reports.
The disruption also prevented students from submitting critical end-of-semester assignments, including exams and final projects.
Many campuses restored access by last Friday, and Instructure found that the leaked data did not contain any passwords, dates of birth or financial information.
However, this incident undergirds a dangerous trend. The U.S. education sector remains the top global target for cyberattacks, and bad actors increasingly exploit third-party vendors to access institutional data, says Cliff Steinhauer, director of Information Security and Engagement at the National Cybersecurity Alliance.
“The Canvas breach underscores how deeply schools now depend on centralized digital platforms to keep day-to-day academic operations running,” he says. “When a system used by thousands of institutions goes down during finals season, it demonstrates that cybersecurity incidents can quickly become large-scale operational disruptions, not just isolated IT problems.”
Recent attacks highlight the pattern. Last year, a Russian ransomware group exploited Oracle’s E-Business Suite to access nearly 4 million records tied to the University of Phoenix, Dartmouth College and the University of Pennsylvania.
In 2023, the same syndicate compromised nearly 900 colleges by breaching a third-party service connected to the National Student Clearinghouse and TIAA, a retirement services provider for faculty.
To limit future risk, institutions must strengthen vendor oversight, improve incident response planning and treat cybersecurity as a central pillar of institutional resilience, Steinhauer says.
“As attackers increasingly target platforms that cannot afford downtime, the education sector should expect more extortion-driven attacks aimed at maximizing pressure and disruption,” he concludes.
