The breach On May 5, 2026, TechCrunch reported that education technology giant Instructure — maker of Canvas, the learning management system used by thousands of schools and universities — had suffered a data breach exposing students' private information. According to a sample of allegedly stolen data seen by TechCrunch, the breach includes students' personal information. The attackers are reportedly the group known as "ShinyHunters," previously linked to breaches at Wattpad, Pixlr, and other platforms. Instructure has not yet confirmed the full scope of the breach as of publication, but the incident fits a troubling pattern in the education technology sector. Why ed-tech breaches hit different Student data is among the most sensitive categories of personal information. It includes: Full names and home addresses Dates of birth and Social Security numbers Academic records and disciplinary histories Special education classifications Medical information submitted to schools Behavioral and psychological assessments Unlike credit card numbers, this data cannot be changed. A child's Social Security number exposed in a breach can be used for identity theft for decades. Yet education technology companies have historically underinvested in security relative to the sensitivity of their data: FERPA, the U.S. federal student privacy law, was last meaningfully updated in 1974 and lacks modern breach notification requirements. Many school districts lack dedicated security staff, making them dependent on vendor security practices. Ed-tech procurement often prioritizes features and price over security posture. The ShinyHunters pattern The group claiming responsibility for the Instructure breach has a documented history: Wattpad (2020): 270 million records Pixlr (2021): 1.9 million records Hosted databases (ongoing): Constant scanning for exposed APIs and databases Their methodology is not sophisticated. They find exposed APIs, unpatched systems, or misconfigured cloud storage — basic security hygiene that enterprise-grade companies should have solved years ago. The fact that ShinyHunters can still breach major ed-tech platforms in 2026 suggests the industry's security maturity remains low. The broader context This breach arrives amid other 2026 education privacy incidents: Covenant Health reported a breach affecting nearly 478,000 patients, including students where health and education records overlap. Navia (a benefits administrator) informed 2.7 million individuals of a breach exposing sensitive information. The 2026 NASCIO-Deloitte study found state CISO confidence has collapsed, with just 22% believing their data is protected from cyberthreats. What schools and parents can do For school administrators: Audit vendor security before procurement. Ask for SOC 2 Type II reports, penetration test results, and incident response plans. Minimize data collection. If a learning app doesn't need a student's home address, don't provide it. Require encryption. Data at rest and in transit should be standard, not optional. For parents: Ask what apps your school uses. Many parents don't know which third-party platforms have access to their child's data. Opt out where possible. FERPA allows parents to opt out of directory information sharing — a small but meaningful step. Monitor credit. Children are increasingly targets of identity theft because their credit histories are clean slates. The bottom line Education technology companies operate in a sector where the customers (schools) lack security expertise, the users (children) cannot consent, and the regulators (FERPA) are decades out of date. The Instructure breach is not an isolated incident. It's a predictable outcome of an industry that treats student data as a testing ground for features rather than a trust to be protected. The students whose data was exposed will graduate, enter the workforce, and apply for mortgages with breach histories stretching back to kindergarten. The companies that collected that data? They'll issue a statement, hire a PR firm, and move on. Unless regulators — and school districts — start demanding better.