We鈥檝e been seeing a rise in cyberattacks and now the next targets: Schools and universities. These are the new hotspots because they store research data, financial records, student information and extensive login databases.
And it鈥檚 a number that really is growing 鈥 Quorum Cyber even recorded 425 cyber incidents affecting higher and further education institutions between November 2024 and October 2025. The company recorded 260 incidents during the 12 months before that.
The Quorum Cyber report found data breaches increased by 73%, hacktivist activity increased by 75% and ransomware incidents increased by 21%. Researchers also found phishing caused 34% of ransomware incidents. Credential theft and stolen passwords continued throughout universities because student turnover creates constant account activity and changing user access.
Quorum Cyber reported that attackers target universities involved in advanced research, including AI and quantum computing. The company also found DDoS attacks against UK education institutions increased fivefold during the reporting window.
Jack Alexander, Senior Threat Intelligence Analyst at Quorum Cyber, said, 鈥淭he education sector is now dealing with a convergence of threats: nation-state actors seeking strategic advantage, hacktivists responding to geopolitical events and cybercriminal groups pursuing financial gain.鈥
He added, 鈥淲hat stands out in this data is how targeted and coordinated these attacks have become. In many cases, adversaries are exploiting known vulnerabilities, exposed credentials or predictable operational patterns. Universities and schools need to understand which vulnerabilities are actively being exploited, where their credentials may be exposed and how attackers are operating across the sector. The earlier these signals are identified, the greater the opportunity to disrupt attacks before they escalate into major incidents.鈥
听
What Does Reliance On Technology Mean For Education?
听
Modern schools and universities run through digital systems handling lessons, research projects, examinations, attendance records and communication platforms. Online access now supports daily academic operations throughout the education sector.
The UK government鈥檚 Cyber Security Breaches Survey 2025 found that 91% of higher education institutions experienced a breach or cyber attack during the previous year. The survey also found that 30% experienced attacks at least once every week.
Ambrose Neville, Head of Information Security at Queen Mary University of London, said, 鈥淯niversities are increasingly targeted both for the data they hold and the very diverse mixture of workloads and technologies. We鈥檝e observed attacks designed to interrupt teaching, research and day-to-day operations.鈥
He continued, 鈥淭he challenge for the sector is that openness and collaboration is fundamental to how higher education institutions operate. This makes it more challenging to simply lock systems away, in the way that some other industries may be able to. As a result, we prioritise security resilience. It鈥檚 critical to know where you鈥檙e exposed, spot threats early and respond quickly before incidents escalate.鈥
Cyber security teams managing these systems are also working longer hours. Research from Seemplicity found that 45% of cyber security leaders work 11 or more additional hours each week, while 20% work an additional 16 or more hours weekly.
Rob Babb, Exposure Management Strategist at Seemplicity, said, 鈥淕oogle鈥檚 findings suggest we鈥檙e moving beyond AI assisted code generation into AI assisted exploit reasoning, where models can identify flawed trust assumptions and navigate complex authentication logic. This has the potential to dramatically lower the barrier to sophisticated exploitation and compress the timeline between vulnerability discovery and active attacks.鈥
听
What Happened During The Canvas Cyber Attack?
听
And then, there鈥檚 the massive Canvas incident鈥
Instructure, the company behind the Canvas learning platform used in schools and universities around the world, confirmed that attackers hacked into part of its environment during a global cyber incident.
Steve Daly, CEO of Instructure, wrote, 鈥淭his incident involved unauthorised access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised.鈥
The company also confirmed that attackers exploited a vulnerability connected to support tickets in the Canvas Free for Teacher environment. Instructure temporarily disabled the Free for Teacher service during a security review. Canvas remained operational during the incident.
Daly admitted communication problems during the attack response. He wrote, 鈥淟ast week, we made a call to get the facts right before speaking publicly. That instinct isn鈥檛 wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You鈥檝e been clear about that, and it鈥檚 fair feedback.鈥
The company later announced that it reached an agreement with the unauthorised actor connected to the incident. Instructure said the data had been returned and that the company received 鈥渄igital confirmation of data destruction (shred logs).鈥 The company also announced, 鈥淲e have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.鈥
The incident affected schools and universities using Canvas throughout multiple countries and added another example of how education systems now rely on online platforms for teaching, assignments, communication and administration.
With all of this, experts speak more about our reliance on tech鈥.
听
Our Experts:
听
- Dipan Mann, Founder And CEO,Cloudskope
- Yoon Auh, Founder of BOLTS Technologies
- Candid W眉est, Senior Security Expert, Advisor And Keynote Speaker, Candid
- Rishi Kaushal, CIO, Entrust
- Muhammad Yahya Patel, vCISO And Cybersecurity Advisor, EMEA, Huntress
- Andrew Southall, Founding Engineer, SkySiege
- Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber
- Arie Brish, St Edwards University
- James Shaffer, Insurance Panda
听
Dipan Mann, Founder And CEO,Cloudskope
听
听
鈥淲e鈥檝e come to depend on solutions across ecosystems like education, without analysing out over-dependence on them.
鈥淐ompanies that choose to frame marketing statements over truth and hide behind compliance reports rather than a committed drive to better cyber defenses are going to lose-every time.
鈥淐ontingency plans are critical events for key delivery mechanisms for industries. Education is no exception.鈥
听
Yoon Auh, Founder of BOLTS Technologies
听
听
鈥淭he Canvas breach is a textbook example of the 鈥渃entralisation trap.鈥 By allowing a single provider to dominate nearly half the North American market, the education sector has created a massive, high-value target for groups like ShinyHunters.
鈥淗owever, it takes two to tango: the affected institutions, which include the entire Ivy League and the University of California (UC) System, are not entirely blameless. These are the world鈥檚 leaders in Computer Science, Cybersecurity, and Cryptography. There is a glaring disconnect when a university鈥檚 own research departments lead the world in security theory, yet its administration fails to apply those pragmatic safeguards to its own infrastructure. It reflects poorly on the perceived value and reputation of the education they provide.
鈥淕oing forward, SaaS providers like Instructure must stop viewing cybersecurity as a 鈥榗ost center鈥 to be trimmed for efficiency and start treating it as a Value Protector and Strategic Asset. The legal repercussions and reputational 鈥榖lack mark鈥 now facing the company will surely cost multiples of whatever 鈥榚fficiencies鈥 were extracted over years of cost-cutting. Ultimately, the tuition paying students shouldn鈥檛 be the collateral damage of corporate margin expansion. This is a wake-up call to all educators that a backup plan isn鈥檛 just for IT, it鈥檚 hard to hack paper and pencil.鈥
听
Candid W眉est, Senior Security Expert, Advisor And Keynote Speaker, Candid
听
听
鈥淭he global cyberattack against the Canvas education platform demonstrated once more our critical reliance on a few key technology services. The attack disrupted hundreds of university exams for hours, highlighting a widespread lack of resilience. Every external dependency an organisation relies on introduces potential risks for data breaches, supply chain infections, and sudden system downtime.
鈥淒isaster recovery is not the same as business continuity, and organisations must include all their SaaS applications in their Business Continuity Management (BCM) planning. This does not just apply to major hyperscalers like AWS, Azure, GCP, and Cloudflare 鈥 which have caused massive outages when unavailable 鈥 but to industry-specific platforms as well. Anything you can鈥檛 surviVe without should be analysed.
鈥淭his incident serves as a stark reminder that outsourcing infrastructure does not outsource the underlying risk. While limited resources and a lack of alternatives can make it difficult to guarantee high availability, organisations still need to calculate their risk exposure and establish a solid Plan B. Furthermore, we expect the leaked information from this breach to be abused in the near future to launch context-aware, personalised phishing campaigns.鈥
听
More from News
- From Workouts To Managing Jetlag: The British Tech Scale-Up That Just Hit One Million Users Globally Appoints New CEO
- Hackers Tricked Instagram鈥檚 AI To Leak Your Log In Details 鈥 How Can Users Stay Protected?
- New Research Reveals The UK鈥檚 Top 10 鈥淔uture-Ready鈥 Cities
- New Research Shows How Elections Are Impacting The Job Market 鈥 Here鈥檚 How
- Is London Becoming The World鈥檚 Next AI Capital?
- Google鈥檚 AI Can鈥檛 Even Spell 鈥淕oogle鈥 鈥 So Why Is It Replacing Search?
- Will AI Labels Actually Save YouTube From AI Slop?
- The Rise Of 鈥淣ew Brand鈥 Cybercrime Groups And The Business Of Ransomware
Rishi Kaushal, CIO, Entrust
听
听
鈥淭he Canvas incident is a reminder that organisations can鈥檛 assume scale automatically translates into resilience. Trust in major platforms depends on more than uptime 鈥 it depends on how well sensitive data is protected, how tightly access to critical systems is controlled, and how confidently organisations can recover without exposing information during an incident.
鈥淲hat separates resilient platforms from fragile ones is disciplined execution of the fundamentals: strong identity and access controls around crown-jewel systems, consistent encryption practices, and proven recovery processes that preserve both speed and data integrity. As organisations become more dependent on large SaaS and cloud platforms, the expectation is no longer just availability 鈥 it鈥檚 the ability to recover securely and maintain trust when something goes wrong.鈥
听
Muhammad Yahya Patel, vCISO And Cybersecurity Advisor, EMEA, Huntress
听
听
鈥淭he education sector is uniquely vulnerable when it comes to data breaches, not because of weak technology, but because of who the data belongs to. We鈥檙e potentially talking about minors. Children whose personal information, including names, email addresses, and student IDs, could now be in the hands of criminal actors. Unlike a credit card, which can be cancelled, a child鈥檚 identity and educational record follow them. The implications for identity theft, targeted social engineering, and even safeguarding are serious and long lasting.
Practical Advice for those who might be affected:
鈥 Change your Canvas password immediately, and if you鈥檝e reused that password anywhere else, change it there too. Credential reuse is one of the primary ways a single breach cascades into multiple account compromises.
鈥 Enable multi-factor authentication (MFA) on your email account, especially if it鈥檚 the one linked to Canvas. Email is the master key to most online accounts.
鈥 Be alert to phishing. Attackers who have your name, email, and institution can craft highly convincing messages pretending to be from your school, Canvas, or even a specific teacher.
鈥 If something asks for login details or feels urgent, verify it through an official channel before acting.
鈥 Monitor for identity fraud. For parents, be vigilant, children鈥檚 identities are attractive precisely because they often go unchecked for a long time.鈥
听
Andrew Southall, Founding Engineer, SkySiege
听
听
鈥淢odern technology is too much of a multiplier these days to avoid. Going without it is unthinkable, hence we need to deal with the downsides such as this attack where ShinyHunters are once again sowing chaos.
鈥淲orking in cybersecurity and providing technical due diligence for acquisitions we see all sorts of applications in use. The reality is that none of them are 100% reliable and these days even giant services like GitHub are failing basic service standards, not even meeting a 90% uptime.
鈥淭herefore the strategic approach is to minimise the effect when it does happen 鈥 this includes reducing blast radius, maximising resiliency and implementing as many failover options as possible. In practical terms for this compromise 鈥 ShinyHunters claim that they have 鈥淪everal billions of private messages among students and teachers鈥︹. If true that鈥檚 an incredible amount of data to be storing, data which is likely a set of transient messages not intended for long term reference.
鈥淎dditionally, they claim that the Salesforce instance was breached as well. That infers that there鈥檚 links or ownership between those systems such that lateral movement was possible. If that鈥檚 the case then linking up systems like this is the opposite of minimising the blast radius. If Canvas had these systems directly connected it鈥檚 likely they hadn鈥檛 ascertained full visibility of what would be compromised should either side go awry.鈥
听
Jack Alexander, Senior Threat Intelligence Analyst, Quorum Cyber
听
听
鈥淭he education sector is now dealing with a convergence of threats: nation-state actors seeking strategic advantage, hacktivists responding to geopolitical events and cybercriminal groups pursuing financial gain.鈥
鈥淲hat stands out in this data is how targeted and coordinated these attacks have become. In many cases, adversaries are exploiting known vulnerabilities, exposed credentials or predictable operational patterns. Universities and schools need to understand which vulnerabilities are actively being exploited, where their credentials may be exposed and how attackers are operating across the sector. The earlier these signals are identified, the greater the opportunity to disrupt attacks before they escalate into major incidents.鈥
听
Arie Brish, St Edwards University
听
听
Rule #1 in security -there is no 100% guarantee. All you can do is add layers of protection that will improve your resilience, but it will never be 100%.
Rule#2: Always have a Plan B should something goes wrong.
鈥淔or cloud environments, companies should think beyond basic security and focus on resiliency architecture. That includes:
鈥 High Availability (HA) and real-time failover systems that keep applications running even if one environment is compromised or fails.
鈥 Multi-cloud redundancy and cross-cloud backup strategies that prevent dependence on a single provider or single point of failure.
鈥 Segmented backups, rapid recovery plans, and continuous monitoring.
鈥淭he above redundancies requires additional layers of software integrations and there are IT consultants that can help implementing (for a fee).
鈥淭he recent Canvas breach is another reminder that cloud security is no longer just about prevention 鈥 it is also about recovery speed, operational continuity, and limiting the blast radius when something eventually goes wrong.鈥
听
James Shaffer, Insurance Panda
听
听
鈥淭he current state of technology has turned a school鈥檚 student data into a digital house of cards. As demonstrated by the 鈥淐anvas鈥 cyber-attack, while efficiency may be used as a synonym for reducing failures, the ultimate result will still be a single point of failure. Schools replaced their paper records and local backup systems with the ease of using a single sign-on for the cloud. Thousands of students now pay the cost for that lack of effort. This represents a common example of poor risk management practices. In the past, we treated our platforms as utilities, without taking the necessary measures to ensure they had redundant components.
鈥淭his describes the nature of the current web. We鈥檝e become addicted to centralised solutions. At Insurance Panda, I witness companies making the same mistake over and over again. They consolidate resources into one bucket simply because it鈥檚 less expensive. However, once the bucket becomes compromised, there鈥檚 nothing left within it. The solution to the problems in education is not more software; it鈥檚 a return to offline means of building resilience. If your ability to administer a test depends on a stable Internet connection, then you do not possess a system; you own a liability.
鈥淒o not pretend to be shocked. Using a cloud-based model is inherently speculative. All institutions require a 鈥渂lack-out鈥 plan that does not include waiting for a spinning wheel. If you cannot operate during times of technological failure, then you are not providing leadership.鈥
