Canvas Didn’t Fail Higher Ed, Higher Ed Failed Itself

ShinyHunters hit Instructure twice in seven days. The first breach on May 1st, names, email addresses, student IDs, internal messages across the Canvas user base, was disclosed, “contained,” and patched. Six days later the same actor replaced login pages at roughly nine thousand institutions worldwide with a ransom note, citing Instructure’s refusal to engage as the reason. Harvard, Princeton, Columbia, Penn, the UT system, UCLA, Duke, Wisconsin, Northwestern, caught flat-footed during finals week.

The vendor-side failure is straightforward. You don’t patch your way out of an active extortion event while the threat actor still holds the data and a working access path. Instructure treated a sophisticated adversary like a vulnerability scan finding. ShinyHunters returned to make the point in public.

The higher ed failure is structural. American universities are confederations of fiefdoms, each school, department, and research center procuring technology independently of central IT, often routing around it deliberately. The security function has authority over the network spine and almost nothing else. Vendor risk management in that environment isn’t difficult, it’s incoherent. When the LMS falls it isn’t one vendor breach. It is the only one everyone shares.

Concentration is now the dominant risk in education technology. ShinyHunters has hit Infinite Campus, McGraw Hill, Salesforce, and now Instructure twice, inside roughly six months. PowerSchool was breached in late 2024 and paid. The handful of platforms running K-12 and higher ed are being worked methodically, and each compromise drops thousands of institutions into the same blast radius. The cloud didn’t solve the perimeter problem. It centralized it.

The compliance posture is the tell. Research universities sit on federally funded biomedical data, export-controlled engineering work, teaching-hospital medical records, and millions of student and alumni records. The frameworks that should govern this, FERPA, GLBA, HIPAA, CMMC, are treated as reporting exercises rather than control architectures. Security is funded as a CIO line item, not as institutional risk.

Higher Ed has grossly underfunded IT/Cyber for years and the security is just a joke in most instances, it is not the IT folks fault, it is the administration placing research and academics comfort above security. Applications and third party vendors have always been known to be the easiest attack vector and well someone just went and did it. No surprises. 

The next breach is already in motion. The attackers have the playbook, the vendor list is short, and the buyers have proven they will pay. Higher ed leadership has spent twenty years deferring this conversation. Finals week was a poor time to discover it could not be deferred further.