Edtech Faces Challenges from Third-Party Cyber Threats
The education sector is grappling with unprecedented cybersecurity challenges, as revealed in a recent discussion among experts in the field. With rising incidents of cyberattacks and data breaches targeting educational institutions, the urgency for enhanced protective measures has never been more apparent. The discourse brought forth by Dark Reading’s Arielle Waldman, alongside Cybersecurity Dive’s Eric Geller and TechTarget SearchSecurity’s Sharon Shea, casts a spotlight on various factors contributing to the vulnerability of this essential sector.
One significant incident highlighted was the major cyberattack on Instructure’s Canvas Learning Management System that occurred in late April and early May. The cybercriminal group ShinyHunters claimed responsibility for this attack, alleging that they purloined around 3.65 terabytes of sensitive data, encompassing the personal information of approximately 275 million users across nearly 9,000 educational institutions. By May 11, Instructure had announced that an agreement was made with the attackers, raising questions about whether a ransom was paid. This incident is a stark reminder of the fragility of the cybersecurity landscape within edtech.
Following this harrowing event, ShinyHunters purportedly executed additional attacks on higher education institutions, exploiting vulnerabilities in the Oracle PeopleSoft software. Such software is pivotal for managing student records, admissions, and financial aid. According to Google, while some organizations could mitigate these threats, others fell victim, resulting in data being exposed on leak websites. This ongoing assault on educational frameworks underscores a critical need to assess and bolster cybersecurity protocols.
Waldman mentioned the concentrated use of specific educational platforms as a potential risk factor. As educational institutions increasingly utilize certain software, the consequences of a breach can be widespread and catastrophic. For instance, the 2023 ransomware attack involving Progress Software’s MOVEit, a widely-used file transfer service in schools, further demonstrates the sector’s heightened susceptibility to supply chain attacks. This reliance on limited software options amplifies the impact when a breach occurs.
Geller further elaborated on the unique vulnerabilities plaguing educational institutions. The data these entities collect is not only extensive but deeply sensitive, often involving Social Security numbers and personal information of individuals at the very start of their lives. This data can possess an extended "lifespan" for malicious use, increasing its value considerably. Combined with the underfunded nature of most educational institutions—where resources typically prioritize teacher salaries and infrastructure—the sector becomes a prime target for cybercriminals.
Compounding these issues is the prevalence of bring-your-own-device (BYOD) policies within schools. The difficulty of managing the security of numerous personal devices, alongside school-issued tablets and laptops, creates additional vulnerabilities. Cybersecurity breaches can occur through seemingly innocuous channels as students may inadvertently introduce threats into the school network.
Waldman also indicated that students themselves sometimes pose insider threats. While often unintentional, actions such as attempting to circumvent security measures for academic or recreational purposes can inadvertently create vulnerabilities that malicious actors might exploit. As educational institutions grapple with staffing shortages, the additional noise created by such actions makes addressing real threats even more challenging.
Adding to the complexity, other sensitive data, including parents’ financial information and healthcare data, permeates the educational ecosystem. Research facilities associated with higher education institutions further amplify the risk, as they often house valuable intellectual property and governmental research contracts.
The conversation continued with concerns over procurement relationships between schools and vendors, a critical issue that often leaves educational entities at a disadvantage. Many school districts lack the leverage necessary to negotiate strong cybersecurity measures into their procurement contracts, rendering them vulnerable to future breaches.
Amid these challenges, Waldman pointed out the emergence of “ghost students”—fraudulent applications that siphon resources meant for legitimate students. These non-existent students can exploit financial aid systems and contribute to resource depletion in academic institutions.
Despite these daunting challenges, experts suggest that growing awareness of cybersecurity threats may pave a path forward for educational institutions. Building understanding within understaffed cybersecurity teams about the nature and scope of these threats is a vital early step in building a robust defense strategy. From enhanced training for educators to raising awareness among parents and students alike about phishing and identity security, a collective effort could help mitigate these rampant issues.
Waldman’s assembly of perspectives highlights just how complex the cybersecurity landscape is for education. With ransomware attacks on the rise since the onset of COVID-19, the educational sector continues to struggle with the consequences of downtime and the threat of sensitive data exposure. As these institutions evolve, so too must their strategies for combating cyber threats, reinforcing the need for vigilance, resources, and collaboration in facing this ongoing crisis.
In summary, the education sector, particularly edtech, is at a critical juncture. As cyber threats continue to proliferate, the focus on security must shift from reactive to proactive measures, integrating robust cybersecurity protocols at every level—from administrative decision-makers to individual students. Only through an informed and cooperative approach can the educational sector hope to mitigate the risks posed by cybercriminals and safeguard the invaluable data of students and educators alike.

