Cybercriminals have upgraded their strategy in the education sector. Instead of attacking one school at a time, they have figured out that it is far more efficient to attack the software platform that serves 9,000 schools simultaneously. That is exactly what happened when threat group Shiny Hunters hit Instructure’s Canvas Learning Management System in early 2026, stealing 3.65TB of data covering 275 million users, students, parents, and staff in what experts are calling the biggest cyberattack on education in history. For Africa, where edtech adoption is accelerating rapidly across Nigeria, Kenya, Rwanda, Ghana and beyond, this is not a distant Western problem. It is a preview of what is coming and a warning that the continent’s underfunded, understaffed digital education infrastructure is walking into a minefield completely unprepared.
For most of my career, I have always worked at the intersection of IT, Business and people, and so that permitted me to get a glimpse of every department on how they operate since IT is there to serve everyone else. Now permit me to explain how supply chain attacks work using a concept anyone in IT infrastructure will immediately recognise.
In a direct attack, you go after the endpoint. You knock on one door. In a supply chain attack, you go after the installer. You compromise the tool everyone uses to unlock all the doors, and suddenly, one successful breach gives you access to thousands of buildings you never had to knock on individually. That is precisely what happened to the global education sector in 2026. And Africa needs to pay very close attention because our people say what happens to cocoa may likely reach coffee.
In late April and early May, edtech company Instructure confirmed a cyberattack on its Canvas Learning Management System. Threat group, Shiny Hunters, claimed responsibility, stating they had stolen 3.65TB of data from 275 million users across almost 9,000 schools. Canvas is not a niche product; it is one of the most widely deployed LMS platforms on the planet, used by universities and secondary institutions across dozens of countries, according to stats by the African Development Bank Group.
The attack happened during finals week, which disrupted students mid-examination. To nobody’s surprise, many students on social media were found thanking the attackers, which tells you something about how normalised this has become.
As of May 11, Instructure said it had reached an agreement with the attackers, with the software declared safe to use, though whether a ransom was paid was never confirmed. “Reached an agreement” is the kind of corporate language that means something happened involving money, and nobody wants to say what. The strategies of grey hat hackers.
And Shiny Hunters did not stop there. Just weeks later, the same group claimed further attacks on higher education institutions, this time exploiting Oracle PeopleSoft, the ERP and student records management platform used by universities worldwide to handle admissions, financial aid, and academic records. One gang. Two attacks. Months apart. Millions of student records in the wild. This is not random opportunism; it is a deliberate strategic pivot, according to how I see it
But why does Education seem to be the Softest target in Cybersecurity? The combination of factors that makes educational institutions attractive to attackers is what experts are calling “toxic.” Schools have enormous volumes of sensitive data, covering people at the very beginning of their lives, meaning a stolen Social Security number or national ID has potentially 80 years of useful life before it expires from relevance.
You cannot change your date of birth. You cannot change your national identity number in most African countries. Medical records do not expire. Academic credentials are permanent. Every piece of data sitting in a school system is long-shelf-life, high-value inventory for identity thieves and ransomware operators alike.
Add to this that schools are funded by governments with dire priorities outside of cybersecurity, teacher salaries, infrastructure, and feeding programmes, and you have organisations that are simultaneously data-rich and security-poor. They cannot attract top-tier security talent, they run legacy systems they cannot afford to update, and they cannot take systems offline for patching because that means no school.
Then there is the device problem. Schools issue tablets and laptops, students bring personal devices, parents log in from home, and, unlike a corporate environment where you can enforce a managed device policy, a school cannot tell a fourteen-year-old that their personal phone is not allowed on the network. Every unmanaged device connecting to the school network is a potential entry point.
This didn’t happen in Africa, but we are part of it, too. Here is where I want to stop translating Western cybersecurity news and speak directly to where we are. Africa’s edtech sector has been growing aggressively. Kenya has NEMIS, the national education management information system, holding data on millions of pupils. Nigeria’s JAMB and WAEC operate digital platforms processing millions of candidates annually. Ghana’s universities are on cloud-based LMS systems. Rwanda’s education digital transformation is a government-policy-level ambition. Cameroon is rolling out digital tools into classrooms that barely have consistent electricity. The worst are basic education schools, some in the suburbs don’t even have classrooms, but let’s not go there
Every single one of these systems is a Canvas waiting to happen, except with fewer resources, less mature incident response capability, and in many cases, no dedicated cybersecurity function at all. The issue is concentration risk. Schools cluster around a small number of platforms, and attackers know this. One successful compromise of a shared platform does not mean one victim; it means thousands. An attacker who compromises the LMS vendor used by universities across West Africa does not need to attack each university individually. They hit the vendor once and collect at scale.
Beyond ransomware, there is a growing threat called ghost students, fake applicants using stolen identities or bots to enrol in institutions and claim financial aid. In one documented case, a single operation stole over $10 million from California community colleges in a single year through fake enrollments alone. African scholarship programmes, government bursaries, and university financial aid systems are equally exposed and far less equipped to detect the pattern.
Cybersecurity experts are calling for procurement contracts between schools and vendors to include mandatory security requirements so that when a vendor is breached, there is legal accountability and minimum standards that were supposed to be enforced. That is a reasonable ask in markets where vendors face regulatory and litigation pressure. In Africa, where procurement contracts often do not even specify uptime guarantees, cybersecurity clauses are a distant ambition.
What I think is more immediately actionable is that African ministries of education need to stop treating cybersecurity as an IT department footnote and start treating student data as critical national infrastructure. A breach of a national examination board’s database is not an IT incident; it is a national security event affecting millions of families. EdTech vendors operating in Africa need to be held to the same security standards demanded in Europe and North America. If your platform is not good enough to deploy without encryption and incident response planning in London, it should not be deployed without those things in Yaounde, Douala, Lagos, Abuja or Nairobi either.
And institutions need to stop assuming that because they are not banks, they are not targets. The data held by schools, including names, birthdates, family financial records, medical information, and academic history, is exactly what identity thieves need, and it lasts decades. The attackers already know this. The only people who still think schools are low-priority targets are the people running the schools. Africa and Cameroon, in particular, are just funny. People misplace their ID cards and remain unbothered for months. There’s always this funny question I get, what will a thief be doing with my ID, why will a hacker be breaching a school Database system, what are they to do with student information? Huh, I think in this part of the continent, we just get by luck. What a sad method of living!