Third-Party Breaches Teach Education Sector a Costly Lesson in Vendor Risk

The education sector is learning a costly lesson about vendor risk, with rising threats from third-party actors forcing institutions to play defense against ransomware and other attacks. Cybercriminals have long viewed education as an enticing target, given its mix of legacy technology and new applications, uneven IT resources, and large amounts of sensitive data.

According to the 2026 Data Breach Investigations Report by Verizon Business, there were over 1,250 data breaches involving the education sector last year, with more than half of those breaches caused by malware and 65% involving ransomware. The primary vector of infection was via Web applications, which accounted for 71% of breaches in the education sector. In many cases, schools are powerless to prevent these attacks, as a single compromised application can affect every institution that relies on it.

One high-profile example is the ransomware gang’s exploitation of a zero-day vulnerability in Oracle’s E-Business Suite last summer, which affected over 100 organizations and a large number of educational institutions. Another case involved cyberattacks on Instructure’s learning management system, Canvas, which forced thousands of schools to take their systems offline and caused significant disruption during final exams and the end of the school year. The group claiming responsibility negotiated an arrangement with Instructure that was likely a ransom payment.

These attacks are not isolated incidents. In 2023, attackers exploited a vulnerability in the managed file transfer application MOVEit in a massive breach affecting over 2,700 organizations, including National Student Clearinghouse and the New York City public school system. The threat landscape facing education institutions is far from static, with no single platform able to protect against these types of attacks.

The broad reach of third-party software-as-a-service applications like Canvas makes them appealing targets for attackers, as a successful attack can affect thousands of institutions. As Adam Marrè, CISO at Arctic Wolf, notes, “I think the timing was not coincidental” in the case of the Canvas attacks, with cybercriminals looking to maximize leverage by targeting schools during the end of the school year.

The education sector is facing a daunting challenge in managing third-party risk, particularly when it comes to vendor software applications. While institutions can do their best to protect themselves, they often have little control over the security of these third-party systems. As Erich Kron, CISO Advisor at KnowBe4, notes, “In a lot of cases, the main organization that’s beat up over a breach isn’t the one who was at fault.”

To mitigate this risk, education institutions need to prioritize vendor management and take steps to ensure that their third-party vendors are secure. This includes conducting regular security audits, implementing robust access controls, and requiring vendors to adhere to strict security standards. By doing so, schools can reduce their exposure to cyber threats and minimize the impact of a potential breach.

In conclusion, the education sector must learn from these costly lessons and take proactive steps to manage vendor risk. With the increasing threat landscape facing educational institutions, it is imperative that they prioritize cybersecurity and take measures to protect against third-party attacks. By doing so, schools can ensure the safety and security of student data and minimize the financial and reputational fallout of a potential breach.


Source: Dark Reading — 2026-06-27