Last updated 3 weeks ago
Infinite Campus, a major K-12 student information system provider serving over 10 million students across the United States, disclosed a data breach in March 2026 following an extortion attempt. The breach exposed sensitive student, parent, and staff information, though the specific volume of records was not quantified in the public notification. The company confirmed unauthorized access to its systems.
The threat actor ShinyHunters claimed responsibility for the data theft and initiated an extortion campaign against Infinite Campus. The attack involved unauthorized access to the company's infrastructure, resulting in the exfiltration of personally identifiable information from the student information system database. The compromised data types include student records, parent contact details, and staff administrative information.
Infinite Campus issued breach notifications to its customers, which include thousands of school districts nationwide. The company engaged third-party cybersecurity experts to investigate the incident and is coordinating with law enforcement agencies. No information was provided regarding ransom payment or specific containment milestones.
This breach highlights the critical need for robust access controls and monitoring in educational technology platforms that aggregate sensitive student data across multiple districts. The successful unauthorized access by ShinyHunters suggests potential weaknesses in authentication mechanisms or insufficient detection of lateral movement within the student information system environment. Organizations handling large-scale educational data must implement enhanced threat detection specifically tuned for extortion-focused threat actors targeting centralized repositories of minor PII.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor