.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
I’ve spent more than twenty‑five years in cybersecurity advising organizations on how to prepare for and respond to threats, including ransomware events. I know the playbooks. I know the threat actors. I know how these incidents unfold. None of that mattered the moment I learned my child’s personal information was part of the April 2026 cyberattack involving the Canvas learning platform.
In a matter of minutes as the news sunk in, the analysis, the legal frameworks, and the incident response muscle memory all gave way to a parent’s fear. This wasn’t about networks or negotiations anymore. It was about a child who never agreed to be part of the risk calculus. It was the sobering realization that even a lifetime in cybersecurity doesn’t insulate you — and the little humans for whom you would lay down your life — from the most personal consequences of these attacks. In that instant, the seasoned cyber professional disappeared and someone more like Liam Neeson in the movie Taken came out to play. I was itching to use my particular set of skills.
And like the movie, which became a series, the cybersecurity community knows all too well that the pain doesn’t end with the initial intrusion. The ramifications can and will follow these kids for life.
Here’s what happened
According to public reports, attackers associated with the ShinyHunters cybercriminal group, which Sophos Counter Threat Unit™ (CTU) researchers track as GOLD CRYSTAL, allegedly exfiltrated 3.65 TB of data from Canvas, affecting thousands of organizations. Instructure, the parent company of Canvas, stated on May 11 that it reached an agreement intended to prevent the publication of the stolen information and received evidence of data destruction from the threat actor.
However, history has shown us that we can’t trust threat actors. While those developments may reduce the likelihood of immediate public exposure, educational institutions (including administrators, IT and security personnel, and other staff), students, and parents must remain alert to the broader downstream risks that often follow incidents like this — particularly phishing, impersonation, and other social engineering attacks.
Why education remains a prime target
Educational institutions have become increasingly attractive targets for financially motivated attackers. Schools and universities manage large user populations, rely heavily on third-party cloud platforms, and maintain trusted communication channels among administrators, educators, students, and parents. The amount of money that flows across these systems — for field trips, donations, tuition, fees, you name it — rivals small-town banks. Even when stolen information appears limited to usernames, email addresses, or enrollment-related records, that data can still be highly valuable to attackers. Cybercriminals do not always need passwords or financial records to launch effective campaigns. Context alone can be enough.
A threat actor who knows where a student attends school, which systems are used for communication, and who receives institutional emails can craft convincing phishing messages designed to steal credentials, bypass multi-factor authentication (MFA), or trick victims into providing sensitive information. That risk becomes even more significant when threat actors have a demonstrated history of social engineering activity.
The growing role of impersonation and vishing
My son was raised on cybersecurity awareness from the moment he could say his ABCs. He is familiar with the concept of “it’s not if, it’s when,” still asks me before he clicks on links, and proudly shows me when he can spot a phishing email. He even counsels his friends on how to react when they receive strange emails. He was visibly concerned when I shared this next piece of data with him.
Earlier this year, Sophos researchers observed a sophisticated voice phishing campaign attributed to GOLD CRYSTAL in which attackers impersonated internal IT or helpdesk personnel. Victims were directed to fraudulent single sign-on pages designed to harvest credentials and authentication tokens.
Attackers know how to manipulate that sinking feeling you get each time you get a call from school, in those moments before the person on the other end assures you that “everything with your child is ok, we just wanted to tell you...” These attacks are particularly effective because they exploit trust rather than just technical vulnerabilities. In educational environments, those trusted relationships extend beyond faculty and staff. Parents routinely receive urgent notifications from schools regarding schedules, payments, forms, transportation, account access, and student communications. Threat actors understand this and increasingly tailor attacks to mirror legitimate school operations.
Following incidents like the reported Canvas breach, schools and universities should anticipate the possibility of various tactics:
- Fraudulent password reset notifications
- Fake tuition or payment requests
- Impersonated school administration emails
- Malicious MFA prompts
- Fake IT support calls or messages
- Credential harvesting pages designed to mimic school login portals
While there is no evidence so far that data stolen in the Canvas incident has been exposed, data leaks have followed other attacks on educational institutions. In cases like those, schools and universities should anticipate the possibility of how that information may be weaponized. Again, it’s not “if” but “when.”
Why parents should pay attention
Parents were not traditionally part of an educational institution’s cybersecurity threat surface; however, families now interact with schools almost entirely through digital platforms. Learning management systems, parent portals, mobile notifications, and cloud-based communication tools have become central to modern education operations. As a result, parents may receive a high volume of legitimate emails and alerts that create ideal conditions in which phishing attempts seamlessly blend.
Attackers often rely on urgency and familiarity. A message that appears to come from a school administrator or technology department requesting a password reset or urgent account verification can be highly convincing, especially during periods of heightened awareness following a publicized incident. Limiting the scope and impact of an attack requires the vulnerable population to follow instructions, so those instructions need to be simple. My school district sent out a message each day reminding everyone to stay logged out of Canvas.
Parents, students, and staff should be cautious of unsolicited requests for credentials or payment information, unexpected MFA prompts, or links directing them to login pages. When possible, users should navigate directly to trusted school portals instead of clicking embedded links in emails or text messages. If available, use the more modern and secure passkey authentication mechanism.
What schools and universities should do now
Educational institutions should prioritize preparing for follow-on attacks rather than assuming the risk ended with the reported containment of the breach. Even when threat actors claim that stolen data has been deleted, organizations should operate under the assumption that exposed information may still circulate within criminal ecosystems or be used in future phishing campaigns.
Institutions should consider the following steps:
- Strengthen authentication controls. Where possible, organizations should deploy phishing-resistant authentication methods such as FIDO-based passkeys or hardware security keys. Traditional MFA methods that rely on SMS or push notifications are vulnerable to social engineering techniques.
- Review helpdesk and support workflows. Attackers increasingly target support channels because they often involve trusted human interaction. Schools should review identity verification procedures for password resets, account recovery requests, and administrative support functions.
- Increase phishing and vishing awareness. Advise faculty, staff, students, and parents that attackers may impersonate internal IT personnel or school administration. Training should include awareness around voice phishing, fake login portals, and MFA fatigue attacks.
- Monitor for suspicious identity activity. Security teams should closely monitor authentication systems for unusual login behavior, impossible travel events, abnormal MFA requests, or repeated failed login attempts tied to institutional accounts.
- Communicate proactively. Transparent communication can significantly reduce the effectiveness of follow-on phishing attacks. Institutions should consider notifying their communities about likely scam themes and reminding users how legitimate school communications are handled.
A broader lesson for the education sector
The Canvas incident highlights a broader reality facing education today: cyberattacks are no longer isolated technical events. Modern attacks frequently combine data theft, extortion, impersonation, and social engineering into long-running campaigns that continue well after the initial intrusion is contained.
For schools and universities, resilience increasingly depends not only on preventing breaches, but also on preparing communities to recognize and respond to the manipulation tactics that follow them. It is personal, no matter how you look at it.
For parents, students, and educators alike, continual education (no pun intended) and vigilance remain tried and true first lines of defense.