Breach Blog Cover Photo

The Breach Your Board Has Not Talked About Yet

Technology Governance
May 11, 20266 min read

On May 7, 2026, students and faculty attempting to log into Canvas were greeted not by a system error or maintenance notice, but by a ransom demand displayed directly on the platform’s login page by a cybercriminal group called ShinyHunters.

The breach affected roughly 9,000 schools, universities, and education providers. The stolen data includes approximately 275 million records. Names, email addresses, student IDs, enrollment records, private messages between students and teachers.

At the University of Pennsylvania alone, ShinyHunters claimed to have compromised data belonging to 306,000 affiliated users.

This is not a story about a technical failure. It is a story about what happens when governing boards are not positioned to lead before something breaks. Most governing boards do not realize how much operational accountability they carry for technology decisions until a disruption forces those questions into the boardroom.

What Attackers Already Know About Your School

Threat actors do not choose targets at random. They run a cost-benefit analysis.

Education scores well on every variable they measure. The data is vast. Student records include names, contact details, enrollment histories, disciplinary records, and in many cases health and disability accommodations. Much of it belongs to children. A child whose data is stolen today may not discover the damage until they apply for their first credit card or student loan years from now.

The pressure points are predictable. Finals week. Enrollment deadlines. Back-to-school season. Attackers know exactly when a disruption will cause the most pain and generate the most urgency to pay.

As Scott P. noted in his May 8 analysis of the breach, "Threat actors are not choosing their targets at random. They are running a cost-benefit analysis, looking for the sectors that will give them the greatest return on the least effort."

Your school is already a target. The only question is whether your board has clear visibility into what would actually happen if something failed tomorrow.

The Structural Problem No One Names

Most independent schools have IT support. Many have vendor contracts, cybersecurity tools, and help desk coverage.

That is not the problem.

The problem is structural. Schools are heavily dependent on the security posture of their vendors, while most boards still have limited visibility into the operational and governance risks tied to those relationships. When one vendor gets compromised, every school they serve gets hit. That is exactly what happened with Canvas. It is what happened with Infinite Campus in March 2026. It is what happened with PowerSchool late last year.

ShinyHunters did not attack 9,000 schools individually. They attacked the platform sitting underneath all of them at once.

Beyond vendor dependency, there is a deeper issue. In many schools, IT leadership lacks a formal seat at the decision-making table. Technology and security leaders get treated as a support function rather than a governance function. Critical decisions about vendor selection, data policies, and risk tolerance get made without the people who understand the threat best.

In many schools, governing boards still assume these risks are being fully evaluated somewhere within the organization, even when no formal governance structure actually exists to support that assumption.

When IT is excluded from those conversations, the results are predictable.

Building renovations get approved without IT involvement. HVAC systems, security cameras, and door access panels get installed and connected to the same network as your student information system. Nobody audits the firmware. Nobody rotates the default credentials. Nobody on the technology team even knows those devices are there.

Every one of those overlooked systems is a potential entry point.

The Difference Between Running and Governed

There is a distinction that matters here, and most school leadership teams have never drawn it clearly.

Operational IT keeps systems running. Vendors manage devices, resolve tickets, and maintain software. That work is real and it matters.

Technology governance is different.

It ensures your board understands the risks surrounding those running systems. It defines who is accountable when something fails. It reviews vendor dependencies before a breach, not after.

Most importantly, it builds the playbook before the incident, not in response to one.

The schools that respond best to cyber incidents are rarely the ones improvising in the moment. The playbook exists because technology leadership was already part of the decision-making process before something went wrong.

The Canvas breach produced reactive scrambles at institutions across the country. Not because those schools lacked IT support. Because IT had not been positioned to lead before the breach happened. As Scott P. observed, when IT has been siloed off and brought in only after something breaks, a breach triggers panic because no one built the playbook in advance.

The schools that responded well were the ones where technology leadership already had a seat at the table.

What Your Board Should Be Able to Answer

You do not need to understand the technical details of how ShinyHunters exploited Canvas to ask the right governance questions. These are leadership questions, not IT questions.

  • If a cyber incident happened tomorrow, who would be accountable for the response and for communicating with families?

  • Does your board receive any regular reporting on technology risk and vendor performance?

  • Do you know which vendors have access to your student data, and have you reviewed their security practices?

  • Are there systems connected to your school network that your IT team did not spec, purchase, or approve?

  • Do you have a documented plan for restoring operations if your student information system became unavailable?

Most independent school boards have never formally reviewed these questions together. That gap is not a reflection of negligence. It is a reflection of how technology governance has historically been treated in education: as an operational issue rather than a fiduciary one.

That framing has to change.

The Shift That Matters

Governing boards carry fiduciary responsibility for their schools. That responsibility extends to the technology environment. Student data, staff records, financial systems, and instructional platforms are all under the board's ultimate purview.

The Canvas breach is a clear example of what happens when that responsibility is not matched with visibility. Boards at affected institutions found themselves accountable for systems they had never reviewed, risks they had never approved, and vendor relationships they had never examined.

The goal is not for boards to become technology experts. The goal is for boards to have enough clarity to ask the right questions, hold the right people accountable, and make confident decisions when something goes wrong.

Technology governance is ultimately about operational continuity, institutional trust, and leadership visibility during moments of disruption.

That clarity does not appear on its own. It has to be built.

One of the simplest ways for governing boards to begin building that clarity is by evaluating whether leadership can confidently answer a small set of operational oversight and technology governance questions.

A Starting Point

I put together a short executive assessment designed specifically for independent school leaders and governing boards. It takes about ten minutes and requires no technical background.

It is built around the governance visibility gaps I see most often in schools that have solid IT support but limited board-level oversight.

If your board has never formally reviewed its visibility into technology risk, vendor dependency, and operational continuity together, this is a practical place to start.

Take the assessment: kenneththomas.com/assessment

Credit: This article builds on analysis by Scott P., "They Did the Math: Why Threat Actors Keep Targeting Education," published May 8, 2026. Quoted material used with the author's permission.

Kenneth Thomas is a governance-focused Fractional CTO for independent schools in Florida. He works with executive directors and governing boards to eliminate hidden technology risk and establish clear oversight at the board level, without replacing existing IT vendors or teams. Learn more at kenneththomas.com.

independent school technology governancecharter school cybersecurityschool board technology riskfractional CTO independent schoolseducation data breach 2026Canvas breach Instructuregoverning board technology oversightschool vendor risk managementFlorida independent school leadershipwhat should a school board know about cybersecurityindependent school technology risk assessmentwho is accountable for school data breachtechnology governance for charter school boardsfractional CTO Florida schools
Back to Blog