Getting Schooled By ShinyHunters
For years, cybersecurity professionals warned organizations that they were only as secure as their weakest link. What they perhaps did not fully appreciate was that the weakest link might not even belong to them. Increasingly, the most devastating cyberattacks are not directed at the ultimate victim, but at the vendors, cloud providers, SaaS platforms, authentication services, managed service providers, and software ecosystems that support thousands of victims simultaneously.
The reported breach of Instructure, the maker of the widely used Canvas learning management platform, by the extortion group ShinyHunters is merely the latest example of a profound strategic evolution in cybercrime.
The target was not a single university. It was the infrastructure beneath thousands of them. According to reporting by Inside Higher Ed, the attackers claimed that nearly 9,000 educational institutions and approximately 275 million users may have been affected. Whether or not those numbers ultimately prove accurate, the significance lies elsewhere. Attackers no longer think in terms of breaching one company at a time. They think in terms of leverage, aggregation, and concentration of trust.
Why rob one bank branch when you can compromise the armored car?
That strategy has become the defining characteristic of modern cybercrime. The education sector is hardly unique. In fact, virtually every major cyber incident over the last several years has reflected the same underlying principle: Attack the vendor, not the customer.
Solar Winds Warning
The 2020 compromise of SolarWinds demonstrated this with brutal clarity. Rather than directly attacking federal agencies and Fortune 500 companies individually, attackers allegedly associated with Russian intelligence compromised the Orion software update mechanism itself. The result was downstream access to thousands of customers, including the Departments of Treasury, Homeland Security, Commerce, and Justice, along with major private-sector entities. See U.S. Cybersecurity & Infrastructure Security Agency, Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise” (Dec. 13, 2020). Likewise, the 2021 ransomware attack against Kaseya did not initially target hundreds of businesses individually. Attackers targeted a managed service provider platform that itself managed downstream IT services for thousands of small and medium-sized organizations worldwide. One compromise multiplied into thousands.
The same pattern emerged in the compromise of MOVEit file transfer software in 2023. Rather than breaching banks, insurers, law firms, healthcare providers, and government agencies separately, attackers exploited a vulnerability in a trusted data transfer product used by all of them. The result affected organizations ranging from the U.S. Department of Energy to major universities, pension funds, and financial institutions. Healthcare experienced the same phenomenon through the 2024 attack on Change Healthcare, a critical payment and claims processing intermediary whose compromise disrupted pharmacies, hospitals, insurers, and providers nationwide. Attackers did not need to breach every hospital individually. They attacked the transaction hub through which the healthcare system operated.
No industry is immune because no industry remains operationally isolated. The modern enterprise is no longer a discrete organization with a perimeter. It is an interconnected mesh of vendors, APIs, identity providers, cloud systems, software dependencies, outsourced analytics, AI engines, and shared infrastructure. Every organization today effectively operates as part of someone else’s supply chain.
And attackers understand this better than many boards of directors do. The economics are compelling. Traditional hacking required compromising one victim at a time. Vendor-centric attacks create economies of scale. One exploit can produce access to thousands of entities simultaneously. One stolen administrator token may unlock an entire ecosystem. One compromised update mechanism can weaponize trusted software distribution itself.
The attack against Canvas highlights why educational technology providers are particularly attractive. Learning management systems now function as identity repositories, communications platforms, behavioral analytics engines, grading systems, document storage systems, and collaboration environments simultaneously. According to the reporting, the attackers allegedly obtained names, email addresses, student identifiers, and private communications between students and faculty. That data has immense downstream value.
The next phishing attack will not be a generic “Your account has been suspended” email riddled with grammatical errors. It will reference actual professors, actual courses, actual assignments, actual university communications, and perhaps even actual private discussions. The more contextualized the stolen data, the more persuasive the social engineering becomes. This reflects another major shift in cybercrime. Attackers increasingly prioritize trust relationships rather than technical vulnerabilities alone.
The compromise of a trusted vendor carries a unique advantage: the victim organization has already lowered its defenses voluntarily. The software is already installed. The API connections are already authorized. The single sign-on integration is already trusted. The data-sharing agreements are already executed. The firewall rules are already configured to permit access. The attacker does not need to break down the front door. The vendor already possesses the keycard.
In SaaS, Nobody Can Hear You Scream
This all raises a critically important issue that many organizations still fail to address adequately: Contractual responsibility. Most organizations spend enormous time negotiating SaaS pricing, uptime guarantees, feature sets, and service levels. Far fewer spend equivalent time carefully negotiating who bears responsibility when the inevitable breach occurs. That omission can be catastrophic.
Companies increasingly discover after an incident that the vendor disclaimed liability for consequential damages, capped liability at a few months of subscription fees, shifted notification obligations back to the customer, limited indemnification obligations, or narrowly defined what constitutes a “security incident.” Even more dangerously, contracts often fail to clearly allocate who “owns” the breach from a regulatory perspective. That question matters enormously.
Who has the responsibility to determine whether personally identifiable information was compromised? Who conducts the forensic investigation? Who retains breach counsel? Who pays for notification costs? Who decides whether regulators must be informed? Who handles credit monitoring? Who bears responsibility for multi-state breach notification compliance? Who interfaces with the FBI, state attorneys general, OCR, SEC, FTC, or foreign regulators? Who controls litigation strategy? Who pays for class action defense? Who carries cyber insurance applicable to the event?
Far too often, the answer after a breach becomes: “We thought the other party was handling that.”
Modern breach notification statutes create substantial pressure on organizations to move quickly. Every U.S. state now has some form of breach notification law. Sectoral regulations such as HIPAA, GLBA, FERPA-related obligations, state biometric laws, SEC cyber disclosure rules, FTC enforcement authority under Section 5, and international regimes such as GDPR may all impose overlapping obligations. Delays caused by contractual ambiguity can themselves create regulatory exposure.
Indeed, some of the most important language in a SaaS agreement today may not concern software functionality at all. It may concern definitions of “security incident,” cooperation obligations, audit rights, incident response timelines, allocation of notification responsibilities, insurance requirements, subprocessor obligations, and indemnification for downstream regulatory or litigation costs. The old technology model treated vendors as suppliers. The modern model requires organizations to treat them as extensions of enterprise risk.
Modern SaaS vendors increasingly aggregate enormous datasets for AI training, analytics, behavioral prediction, personalization, fraud detection, and operational optimization. A breach of a single vendor no longer merely exposes stored records. It may expose inference systems, behavioral models, training data, and metadata relationships spanning thousands of organizations simultaneously. The concentration of data and functionality creates irresistible targets.
The broader lesson of the ShinyHunters attack is therefore not about education specifically. It is about architecture. The very efficiencies that made cloud computing, SaaS platforms, centralized authentication, and integrated ecosystems economically attractive also created unprecedented concentrations of risk. Organizations spent decades building interconnected digital infrastructure optimized for convenience, scalability, integration, and cost reduction. Cybercriminals merely adapted faster to the implications of that architecture than many defenders did.
The old cybersecurity model focused on defending your network. The new reality is that your network may already extend through hundreds of vendors you neither fully control nor fully understand. That means cybersecurity is no longer simply an IT issue. It is now fundamentally a supply-chain governance issue, a contractual risk allocation issue, and increasingly, a board-level fiduciary issue.
And the attackers have already figured that out.
