ShinyHunters Raids Campus Data

THE CONCENTRATION

Canvas is the dominant learning management system across North American higher education, with Instructure as the single vendor holding identity, gradebook, assignment, and message data for tens of millions of students at any one time. One vendor breach exposes a sector.

WHO SHINYHUNTERS ARE

ShinyHunters surfaced in 2020 selling stolen databases on cybercrime forums — Tokopedia, Wattpad, AT&T, Microsoft GitHub repos. Their model is data theft and extortion, not ransomware encryption. They steal, set a deadline, and leak if no payment arrives.

WHY STUDENT DATA

A student record is uniquely durable: name, date of birth, government ID, parent contact, home address, and academic history all tied to a person who will be identifiable for the next 70 years. Unlike a credit card, a student identity cannot be reissued.

FERPA'S TOOTHLESSNESS

The Family Educational Rights and Privacy Act of 1974 governs student record privacy in the US, but it has no breach-notification mandate and no private right of action. The only enforcement mechanism is loss of federal funding — a penalty so severe the Department of Education has never imposed it.

THE EXTORTION CLOCK

Setting a public deadline is a pricing mechanism. The shorter the window, the less time defenders have to verify the breach scope, brief executives, and coordinate with law enforcement — and the more likely the victim pays before thinking clearly. May 12 is the squeeze, not the verdict.

THE SUPPLY-CHAIN PATTERN

The 2023 MOVEit breach hit 2,700+ organizations through a single file-transfer vendor. The 2024 Snowflake campaign — also linked to ShinyHunters-adjacent actors — compromised AT&T, Ticketmaster, and Santander through one cloud data warehouse. Canvas fits the pattern: attack the vendor, harvest the customers.