Education Sector Faces Rising Threats from Third-Party Software Breaches
Schools and universities struggle with cybersecurity as breaches through third-party applications rise, highlighting the need for better vendor risk management.

Key points
- 1,252 education sector data breaches reported in 2025.
- 71% of breaches exploited web application vulnerabilities.
- Over 100 organizations breached via Oracle's E-Business Suite in late summer 2025.
Cybercriminals are increasingly targeting schools and universities through vulnerabilities in the third-party software they use. Recent reports reveal that educational institutions are particularly vulnerable due to limited cybersecurity budgets and a focus on keeping systems operational for students and staff.
According to Verizon's 2026 Data Breach Investigations Report, education saw 1,252 data breaches last year, with more than half involving malware — malicious software that damages or disrupts systems. Alarmingly, 65% of these attacks included ransomware, where criminals lock files and demand payment for their release.
A significant portion of these breaches, 71%, stemmed from flaws in web applications. In one major incident, over 100 organizations, many of them educational, were breached when cybercriminals exploited a zero-day vulnerability — a previously unknown flaw — in Oracle's E-Business Suite. Another high-profile case involved the learning platform Canvas, used by over 8,000 institutions worldwide, which was taken offline due to cyberattacks during final exams.
How did the hackers get in?
The primary entry point for these attacks is through third-party software applications. When such a tool is breached, it can impact every institution using it. Hackers exploit this to make widespread ransom demands, knowing the disruption will push many schools to pay quickly.
Educational institutions often face similar risks to major corporations, needing to manage third-party risk and understand what personal data these applications access. Yet, they usually operate with far tighter resources. Experts suggest schools can improve their cybersecurity posture by developing strong third-party risk management programs and ensuring that vendors are accountable for breach notifications and security practices.
Additionally, implementing identity security measures like multifactor authentication can help protect access even if a software vendor is breached. Schools should also maintain a vulnerability management program to regularly update and patch systems.
Experts argue for more governmental support and a federal privacy law in the U.S. to relieve some of the burden on educational institutions. Increased cybersecurity funding for schools could enable them to better meet security standards and protect sensitive data.
The education sector, much like healthcare, cannot afford prolonged downtime, making them attractive targets. While attackers may have the advantage, schools can still develop resilience plans to maintain operations during cyber incidents, ensuring they can continue to function if data is compromised.



