Cybercriminals Are Targeting EdTech: Data Breaches and Ransomware Attacks on the Rise

Tuesday, June 16, 2026, 10:11 UTC — The education technology (EdTech) sector has become a prime target for cybercriminals as attacks against educational institutions and related platforms continue to escalate. With sensitive data, including student records, employee information, and payment data, stored on EdTech systems, the sector has become an appealing target for cybercriminals seeking financial gain, data exploitation, and reputational damage.

Recent high-profile incidents, including attacks by groups such as ShinyHunters and FulcrumSec, highlight the vulnerability of educational organizations and the increasing sophistication of cyber extortion tactics.

Recent High-Profile Attacks on EdTech and Educational Institutions

ShinyHunters Target EdTech Platforms

The notorious hacking group ShinyHunters, known for their cyberattacks on e-commerce and healthcare platforms, has recently expanded their operations to target EdTech companies. Over the past months, ShinyHunters has reportedly infiltrated multiple EdTech platforms, stealing millions of user records containing student names, addresses, email IDs, and other personally identifiable information (PII).

In one attack, ShinyHunters breached an online learning management system (LMS) used by schools globally, exposing the PII of over 4 million students and educators. The stolen data has since appeared for sale on dark web marketplaces, putting millions of individuals at risk of identity theft and phishing attacks. ShinyHunters’ modus operandi typically involves exploiting weak API endpoints or unprotected cloud databases—common vulnerabilities in many EdTech platforms that are rapidly scaling their services without prioritizing security.

The education sector is facing an unprecedented cyber onslaught. As schools and universities have rapidly adopted cloud-based EdTech platforms—ranging from Student Information Systems (SIS) to Learning Management Systems (LMS) like Canvas and PowerSchool—they have become high-value targets for cybercriminals. Their attacks have not only disrupted operations but have also exposed the sensitive data of millions of students and educators, raising urgent questions about the security and governance of educational technology.

The gang also stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March.  Infinite Campus is an education technology (EdTech) company that provides a student information system (SIS) to over 3,200 school districts across the United States, managing data for 11 million students in 46 states.

Today (June 16, 2026) — ShinyHunters announced new victims, including, but not limited to:

- Glendale Community College
- Moody Bible Institute
- Illinois Central College
- Houston City College

FulcrumSec Claims Responsibility for Ransomware Attack on Global Schools Foundation

In another devastating incident, the cyberextortion group FulcrumSec has claimed responsibility for a massive ransomware attack targeting the Global Schools Foundation (GSF), an international network of educational institutions headquartered in Singapore.

The attack, which occurred in early June 2026, resulted in the encryption of critical systems across GSF's schools in multiple countries, disrupting operations, and leaving students and staff unable to access essential services. FULCRUMSEC has reportedly demanded a ransom to restore access to the encrypted data and prevent the release of sensitive information stolen during the attack.

According to the actors, "We contacted GSG in early May and offered them a fair settlement. For context, our ask was less than the cost of a single year’s tuition for a classroom of students at their Singapore campus. It was 0.17% of Apollo’s committed capital. It was, by any measure, a fraction of the regulatory and legal exposure GSG now faces." Notably, in this case, to estimate the ransom level, the actors indirectly targeted Apollo Global Management, an American asset management firm with investments in GSG.

According to sources, the stolen data includes not only student records but also sensitive details such as financial transactions, employee contracts, and communications between parents and school administrators. FulcrumSec has threatened to publish the data on their leak site if the ransom is not paid, leveraging a double-extortion tactic that has become increasingly common among ransomware groups.

The group targets sensitive data stored in cloud environments (like AWS, MongoDB, and GCP) and threatens to publish the exfiltrated information publicly unless a ransom is paid. They have been linked to multiple major breaches, including a compromise of LexisNexis cloud environments, Australian fintech firm youX.

GSF's Response

The Global Schools Foundation has confirmed the attack in a public statement, stating:
"We are working closely with cybersecurity experts and law enforcement agencies to address the cyberattack on our systems. Protecting the privacy and security of our students and staff is our top priority, and we are taking all necessary steps to mitigate the impact of this incident."

Authorities in Singapore and other affected countries have launched investigations into the attack, while cybersecurity experts assisting GSF have described the ransomware as highly sophisticated.

Why EdTech is a Prime Target

The educational sector, particularly EdTech companies, has become a lucrative target for cybercriminals due to several factors:

1. Sensitive Data Troves: EdTech systems store significant amounts of personal and financial information, including student records, faculty data, and payment information, making them valuable for identity theft and financial fraud.

2. Rapid Digital Transformation: The COVID-19 pandemic accelerated the adoption of digital learning platforms, but many organizations prioritized scalability over security, leaving systems vulnerable to attack.

3. Limited Security Resources: Many educational institutions and EdTech companies lack the financial and technical resources to implement robust cybersecurity measures, making them easier targets compared to other industries.

4. Double Extortion Tactics: Cybercriminals increasingly use double extortion techniques, where they steal data before encrypting it and then threaten to leak it unless their demands are met. This tactic has proven highly effective in pressuring organizations to pay ransoms.

5. Global Reach: Many EdTech companies and educational institutions operate on a global scale, making breaches more impactful as they affect students, parents, and educators across multiple countries and jurisdictions.

The Growing Threat of Cyber Extortion Groups

Groups like ShinyHunters and FulcrumSec represent the evolving landscape of cybercrime. These actors operate with sophisticated tools and strategies, often leveraging vulnerabilities in cloud systems, legacy infrastructure, and poorly secured APIs.

ShinyHunters: A Persistent Data Breach Threat

ShinyHunters is infamous for its large-scale data breaches, and their pivot to targeting EdTech highlights how cybercriminals adapt to emerging opportunities. Their attacks are characterized by:

• Targeted API exploitation: Exploiting insecure endpoints to exfiltrate data.
• Database misconfigurations: Accessing unprotected cloud databases.
• Selling stolen data: Monetizing stolen records through dark web marketplaces.

FulcrumSec: Masters of Ransomware and Double Extortion

FULCRUMSEC, on the other hand, specializes in ransomware attacks combined with double extortion tactics. Their operations often involve:

• Advanced ransomware tools: Using customized encryption techniques that are difficult to decrypt without paying the ransom.
• Leak sites on clearnet or TOR: Publishing stolen data to pressure victims into paying.
• Sophisticated lateral movement: Spreading ransomware across interconnected systems to maximize damage.

Both threat groups are credible and have an established track record of incidents. Notably, GSG (victim organization) initially claimed that ShinyHunters had taken the same data at an earlier date and were also extorting them. They said ShinyHunters had “shown them the entire database,” but FulcrumSec contacted ShinyHunters directly to ask about this. ShinyHunters stated that they had never heard of GSG.

What Can EdTech and Educational Institutions Do?

Given the increasing frequency and severity of attacks, it is critical for EdTech companies and educational institutions to prioritize cybersecurity. Recommended actions include:

1. Strengthen Infrastructure Security: Ensure that all systems, including APIs and databases, are properly secured with encryption, access controls, and regular vulnerability assessments.

2. Invest in Threat Detection and Response: Deploy advanced threat detection tools and establish incident response plans to mitigate the impact of attacks quickly.

3. Train Employees: Conduct regular security awareness training to help employees recognize phishing, social engineering, and other attack vectors.

4. Implement Backup and Recovery Plans: Maintain secure, offline backups of critical data to ensure business continuity in the event of a ransomware attack.

5. Engage Cyber Insurance: Consider cyber insurance to cover financial losses and response costs associated with data breaches and ransomware attacks.

Conclusion

The rise of cyberattacks on the EdTech sector, as evidenced by recent incidents involving ShinyHunters and FulcrumSec, underscores the urgent need for stronger cybersecurity measures. Educational institutions and EdTech companies must recognize the value of the data they hold and invest in the tools, processes, and training required to protect it.

As cybercriminals continue to evolve their methods, collaboration between governments, cybersecurity firms, and educational organizations will be vital to staying ahead of the threats and ensuring a safe digital learning environment for students and educators worldwide.