The Biggest Student Data Breach in History Hit 9,000 Schools During Finals Week

The hacking group ShinyHunters has pulled off what security researchers are calling the biggest student data privacy disaster in history, breaching the Canvas learning platform and gaining access to billions of private messages and academic records across 9,000 schools. The attack hit during finals week at major universities, forcing Columbia University's Mailman School of Public Health to postpone exams and assignments, and prompting New York City's school chancellor to issue a public statement about two separate data privacy incidents affecting public school students.

Canvas, owned by the education technology company Instructure, went offline for several hours Thursday as the company scrambled to contain the breach. Instructure confirmed Friday that the unauthorized actor exploited an issue related to free teacher accounts, which have since been shut down. The platform was restored, but the scope of what was accessed remains unclear.

For the students and teachers whose data was exposed, the restoration of service is beside the point. Canvas is not just a homework portal. It is the central nervous system of modern education. Private messages between students and counselors, grade records, disciplinary notes, medical accommodations, family contact information, and in some cases, documents related to immigration status, all of it flows through Canvas. The platform holds the kind of intimate data that credit bureaus and healthcare companies are legally required to protect. Schools have no equivalent regulatory obligation.

The Scale of the Exposure

ShinyHunters is not a novice operation. The group claimed responsibility for the 2024 Ticketmaster breach and has a track record of targeting large databases with weak authentication. Their claim that the Canvas breach affected 9,000 schools and allowed access to billions of private messages has not been independently verified, but Instructure's decision to take the platform offline suggests the company took the threat seriously enough to disrupt service for millions of users during finals season.

The timing was not coincidental. Finals week is when Canvas usage peaks. Students and faculty are logging in constantly, submitting assignments, checking grades, communicating with counselors. Attackers who gain access during this window have maximum visibility into active sessions and fresh data flows.

In New York City, the breach affected at least seven public schools, though school officials did not identify which ones. The city's schools chancellor, Kamar Samuels, released a statement describing the district's response as working around the clock with the vendor and law enforcement agencies, including NYC Cyber Command. The statement was careful in its language. It referred to data privacy issues, not a breach. It promised more information when available, without specifying when that would be.

At Columbia, the impact was more visible. The Mailman School of Public Health postponed all exams and assignments due Friday. Columbia's provost, Angela Olinto, and two other university officials sent a message to students and faculty acknowledging that individual schools and instructors would communicate directly about impacts to final exams and deadlines. Barnard College, affiliated with Columbia, was also affected.

A Second, Separate Breach

The Canvas incident was not the only data privacy failure in New York City schools this week. On the Graphic Campus in Manhattan's Hell's Kitchen neighborhood, school administrators detected keystroke-logging malware installed in a computer lab. The malware can record every keystroke entered on an infected machine, capturing passwords, messages, and any other text typed during a session.

Technology staff removed the malware and are working with the NYPD to investigate. The school instructed all students and staff who used the computer lab over the past year to reset their passwords for any accounts they logged into during that period.

The coincidence of two separate data privacy incidents hitting New York City schools in the same week is striking but not surprising given the findings of a Monday audit by State Comptroller Tom DiNapoli. The audit identified glaring omissions in the city's student data privacy policies, suggesting that the institutional framework for protecting student information was inadequate before either breach occurred.

The Regulatory Gap That Made This Possible

Student data protection in the United States is governed primarily by the Family Educational Rights and Privacy Act, or FERPA, which was enacted in 1974 and has been updated only modestly since. FERPA restricts who can access student education records but was written for an era when records were kept in filing cabinets, not cloud platforms that process billions of interactions per semester.

The law does not require schools to encrypt student data. It does not mandate breach notification timelines. It does not require third-party vendors like Instructure to meet specific cybersecurity standards as a condition of handling student records. It does not give students or parents the right to demand deletion of their data after a breach. In short, the legal framework for protecting the most intimate details of 50 million students' lives was designed for a world that no longer exists.

State-level student privacy laws, including California's SOPIPA and New York's Education Law 2-d, add some protections, but they are inconsistent across jurisdictions and enforcement is limited. A vendor like Instructure operates nationally, subject to a patchwork of state requirements that vary in scope and rigor. The result is a system where the weakest security posture in any single state becomes the effective baseline for all students whose data passes through that vendor's infrastructure.

What This Means For You

If you are a student or parent whose school uses Canvas, assume your data has been compromised. Change your Canvas password immediately, enable two-factor authentication if available, and change passwords for any other accounts where you used the same credentials. Monitor your email and financial accounts for unusual activity, particularly if you shared any banking or personal information through Canvas messaging.

If you are a school administrator, this breach is your warning shot. Audit every third-party platform that handles student data. Ask vendors for their most recent penetration test results, their incident response plan, and their breach notification timeline. If they cannot provide these, start looking for alternatives. The legal minimum is not the same as the operational minimum for protecting children's information.

If you work in edtech policy, the gap between FERPA and the current threat landscape is not a technical problem. It is a legislative failure that Congress has had decades to address and has not. The European Union's GDPR includes specific protections for children's data and imposes meaningful penalties for breaches. The United States has FERPA, which requires schools to keep a log of who accesses student records and provides no meaningful enforcement mechanism when a third-party vendor like Instructure fails to protect them. The next breach is not a question of if. It is a question of which platform and how many schools.