Original briefings. Zero spin.
Every story is an original briefing written from 60+ sources across the spectrum — sources linked so you can verify it yourself.
Hackers Hit Canvas LMS, Exposing Student Data Across Nearly 9,000 Schools

Hackers Hit Canvas LMS, Exposing Student Data Across Nearly 9,000 Schools
Another week, another massive breach of systems that hold your kids' personal data. This time it's Canvas, the learning management platform used by thousands of American schools, K-12 through college.
According to reporting by The Washington Post, the hack exposed personally identifying information — names, emails, potentially more — from nearly 9,000 schools. That is not a rounding error. That is a systemic failure.
What Actually Happened
Canvas is operated by Instructure, a Utah-based edtech company. It's one of the dominant platforms in American education — if your kid has ever submitted homework online, there's a solid chance Canvas was involved.
The breach pulled data tied to students and staff across thousands of institutions. The Washington Post confirmed the hack included personally identifying information, though the full scope of what was accessed is still being assessed.
Instructure has not, as of this writing, issued a detailed public breakdown of exactly what data was compromised and when the breach occurred. That silence is a problem.
This Is a Pattern, Not a Fluke
Here's what mainstream coverage keeps burying under the headline: this is NOT a one-off event.
Edtech has been a security disaster for years. In 2022, the Los Angeles Unified School District — the second largest in the country — was hit by a ransomware attack that exposed sensitive student data including psychological evaluations, according to reporting by the Associated Press. The attackers were the Vice Society ransomware gang.
In 2021, Illuminate Education, which served roughly 13,000 schools, suffered a breach that exposed data on over 820,000 students in New York City alone, according to The New York Times. Social Security numbers. Birthdates. Special education records.
In 2020, Blackbaud — a software company serving schools and nonprofits — paid a ransom to hackers who accessed student and donor data, then got hit with a $49.5 million settlement with 49 state attorneys general in 2023, according to the Federal Trade Commission.
Same story, different platform, every single year. Let that sink in.
Why Schools Are Easy Targets
Schools collect an extraordinary volume of sensitive data — names, addresses, dates of birth, health records, disciplinary records, family financial information from free lunch applications. Then they run that data through third-party vendors like Instructure with minimal oversight of how those vendors actually protect it.
The cybersecurity firm Emsisoft tracked 45 ransomware attacks on U.S. schools in 2023 alone, affecting over 1,400 individual schools. That number has climbed every year.
School IT budgets are notoriously thin. A 2023 report by the Consortium for School Networking found that 20% of K-12 schools had NO dedicated cybersecurity staff. Zero. None.
But that's only half the story. The other half is the edtech industry itself.
The Edtech Industry Gets a Free Pass
Here's what mainstream media keeps soft-pedaling: these are private companies making real money off student data, and they are NOT being held accountable.
Instructure, Canvas's parent company, was taken private by Thoma Bravo — a private equity firm — in 2020 in a deal worth approximately $2 billion, according to EdSurge. Private equity. Profit motive. Your kid's data.
Federal student privacy law — specifically FERPA, the Family Educational Rights and Privacy Act — was written in 1974. It has not been meaningfully updated for the digital age. It restricts what schools can do with student data, but its jurisdiction over third-party vendors like Instructure is murky at best.
The FTC has the authority to go after companies for deceptive data practices, but enforcement in the edtech space has been minimal. The Children's Online Privacy Protection Act, or COPPA, applies to children under 13 and focuses on commercial use of data — not the security infrastructure protecting it.
There is a gaping legal hole here and companies have been sailing through it for years.
What Mainstream Coverage Is Getting Wrong
The Washington Post framed this primarily as a story about school vulnerability. That framing lets Instructure largely off the hook.
The real story is a private company, backed by private equity, holding sensitive data on millions of American children, operating under outdated federal privacy law, with insufficient security infrastructure — and facing no serious legislative or regulatory consequence after a breach affecting 9,000 institutions.
This is a government failure AND a corporate accountability failure. Both things are true.
What This Means for You
If your child attends a school that uses Canvas — and there's a good chance they do — their data may have been accessed by people who have no right to it.
Contact your school district directly. Ask what data Instructure holds on your child and what notification policy is in place following this breach. You are entitled to know.
Demand your school board ask hard questions about every third-party edtech vendor they use: What data do you hold? How is it encrypted? What is your breach notification timeline? What is your liability if data is compromised?
And pressure your federal and state legislators to modernize student data protection law. FERPA is 50 years old. The internet didn't exist when it was written.
Nine thousand schools. Millions of students. ZERO acceptable excuses.
Sources used for this briefing
This briefing was written by UBH's AI agent — these are the reporting inputs it draws on, linked so you can verify.