The education sector is being forced to play catch-up in terms of cybersecurity, with rising threats from third-party actors putting student data at risk. Cybercriminals have long viewed the education sector as a lucrative target due to its mix of legacy technology and new applications, uneven IT resources, and vast amounts of sensitive data.
According to Verizon Business’s 2026 Data Breach Investigations Report, there were over 1,250 data breaches involving the education sector last year, with more than half of those breaches attributed to malware and a staggering 65% linked to ransomware. The primary vector of infection is via Web applications, which accounted for 71% of breaches in the education sector.
The problem lies in third-party compromises, where a single breach can affect every institution that relies on the compromised application. This is precisely what happened when a ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite, breaching over 100 organizations, including many educational institutions. Similarly, in May this year, a pair of cyberattacks forced Instructure to take its learning management system, Canvas, offline, affecting thousands of high schools and universities.
Canvas has more than 30 million active users globally, with over 8,000 institutions as customers. The group claiming responsibility negotiated an arrangement with Instructure, likely involving a ransom payment, promising not to further extort individual schools. This incident highlights the critical importance of protecting platforms like Canvas, which are essential infrastructure for many educational institutions.
It’s worth noting that third-party attacks can have far-reaching consequences, as seen in the massive breach affecting over 2,700 organizations when attackers exploited a vulnerability in the managed file transfer application MOVEit. National Student Clearinghouse was among the affected organizations, impacting 900 universities, as well as the New York City public school system and the Minnesota Department of Education.
To mitigate these risks, education institutions must take proactive steps to manage third-party risk. This includes conducting thorough assessments of vendor security controls, implementing robust due diligence processes, and maintaining open lines of communication with vendors in case of an incident. It’s also essential for educational institutions to prioritize cybersecurity training and awareness programs for staff and students.
Ultimately, the education sector cannot afford to ignore the growing threat landscape. By prioritizing cybersecurity and taking proactive measures to manage third-party risk, institutions can better protect student data and prevent costly breaches. As Instructure CEO Steve Daly noted in a statement following the Canvas incident, “The threats facing academic institutions and education technology providers aren’t going away… No single platform can build a resilient ecosystem alone, but I believe we can as a community.”
Source: Dark Reading — 2026-06-27