In the wake of the biggest education data breach in history, tough questions are being asked – chief among them: how did this happen?
As the dust settles, some disturbing details are coming to light. The breach didn’t begin with sophisticated malware or some hidden technical flaw. The hackers – known as ‘ShinyHunters’ – simply posed as teachers and walked through the front door.
The cybercrime group allegedly gained access to Canvas by exploiting trust-based onboarding systems, creating fake “Free-For-Teacher” accounts with minimal identity checks. As a result, more than 275 million student and teacher records across 9,000 institutions in 41 countries – including Australia – were exposed.
The breach is a stark reminder that today’s cybercriminals are no longer just targeting software vulnerabilities. Increasingly, they’re targeting people, trust, and everyday processes.
A human trust failure
Stacey Edmonds is the CEO of Lively, creators of The Cyber Safety Game, which includes the game Dodgy or Not? for students.
She says the Canvas breach is fundamentally a human trust failure, not a technology failure.
“The breach entered through Free For Teacher accounts - a provisioning system designed for easy adoption, exploited through credential theft and social engineering,” Edmonds told The Educator.
“The door was opened by a human process, not a defeated firewall. Technology failures get fixed with patches. Human trust failures require something harder: a genuine change in governance and culture.”
On 11 May, educational institutions worldwide that were using Canvas breathed a big sigh of relief when Instructure announced it had reached an agreement with ShinyHunters, who said the stolen data had been deleted.
Edmonds said while that is a better outcome than many expected, it is worth being clear about what actually happened.
“A company responsible for the data of millions of students found itself entirely dependent on the good faith of a criminal group to make it right,” she said. “We were, quite literally, relying on honour among thieves. In this case, it held. That cannot be the security strategy schools depend on.”
Edmonds said the lesson for school leaders is not that platforms cannot be trusted.
“It is that the human governance layer — who has access, how platforms are vetted, and how staff and students are prepared for what follows a breach — matters far more than most schools have invested in.”
Mitigating the risk of targeted follow-on scams
Edmonds said the best way for schools to respond now is to build human recognition capacity.
“Technical controls do not stop a message that appears to come from a known teacher, references a real assignment, and uses details drawn from stolen Canvas communication,” she said. “What stops it is a person who recognises the manipulation before they act.”
Edmonds said schools need to teach their communities three things: that urgency is a manipulation tool; that unusual requests - even from familiar sources - should be verified through a separate channel before acting; and that saying "this felt wrong" is always the right first move.
“This is exactly why we built Dodgy or Not - because recognising social engineering is a skill, and skills are built through practice, not policy documents,” she said. “Schools that make that investment now will be materially better protected when the next incident arrives.”
Edmonds said school leaders should also urgently review in their onboarding, verification and staff training processes, highlighting three priorities.
“First, establish a clear verification protocol - what staff and students do when a request feels unusual, regardless of who it appears to come from. Verify through a known channel. Not by replying. Not by clicking the link. This needs to be practised before it is needed,” she said.
“Second, audit account access across all connected platforms. Former staff, contractors, and departed students with active accounts are standing vulnerabilities. Remove stale access now.”
The final step, said Edmonds, is equally critical.
“Schools should replace compliance-based awareness training with scenario-based practice. Knowing phishing exists is not the same as recognising it in the moment it arrives - Phishy or Not?!”.
'Canvas will not be the last EdTech platform to be targeted'
Below, Edmonds outlined some other practical steps that school leaders can take to ensure their schools are protected from cyberattacks moving forward.
“Conduct a supply chain audit. List every platform holding student or staff data and ask what their security commitments are. Canvas will not be the last EdTech platform to be targeted,” she said.
“It’s also prudent to establish an incident response process before you need one. Who communicates what, to whom, and when — that should be decided in advance, not improvised under pressure.”
Edmonds said it is an especially important time for school leaders to brief their community while the breach is in the news and people are receptive.
“Be specific about what was taken, what it means, and what to do if something feels wrong.”
Finally, said Edmonds, investing in cyber safety education that reflects the actual threat can be the difference between protection and panic.
“Password hygiene and stranger-danger were designed for a different era. The threat students face now arrives through familiar channels, from familiar names, with real context,” she said.
“That requires a different kind of education — one built around recognition and instinct, not rules and compliance.”