Here is what we know so far. Instructure, the American company behind Canvas and QLearn, has been breached, and the data sitting inside that breach belongs to children. The exposed information includes children’s names, school email addresses, school locations, student ID numbers, and in some cases the contents of user messages. We are also told that no passwords, financial details or dates of birth were taken, and that is the line the company would prefer everyone hold onto, because the data that was taken is already enough to do real harm.

It is enough to send a parent a believable email that looks like it came from the school. It is enough to write a child a believable message that looks like it came from a teacher. It is enough to test those school email addresses against a hundred other consumer platforms a young person has signed up to with the same address and watch quietly to see which doors open. It is the standard mechanic of how modern attacks against schools begin.

When a tech vendor reports a breach as “limited” because the most obviously sensitive fields were not taken, what they are quietly doing is shifting the cost of the incident onto the schools and families who now have to live with the consequences for years. The platform’s reputational risk window closes inside a news cycle, but the exposure window for a twelve year old whose name, school and student ID are now circulating on a forum somewhere does not close at all. This is the asymmetry that platforms keep externalising onto everyone downstream of them, and it is worth saying out loud rather than burying it under another carefully worded statement.

A school email address is a credential that quietly threads through every learning platform, every cloud drive, every shared document, every authentication system, and every third party tool the school has integrated over the years, very often under tight timelines and tighter budgets, and almost always before any of us understood the kind of attack pattern we are now living with. When that credential is compromised, even partially, attackers do not need to break in through the front door, because they can walk in through a side gate that was set up years ago, in good faith, when nobody was yet thinking about exactly this scenario.

There is a question every parent and carer can ask their child this week, and it will probably be the most useful conversation they have all term: have you ever used your school email to sign up for anything that was not actually for school? The honest answer, in almost every household, is yes, and usually yes, many times across many platforms, including social media, Discord, gaming sites, online shopping, homework helper apps, meme generators, and the occasional random sign in for a friend’s birthday RSVP. Children do this because they have always been handed an email address without much explanation of the architecture sitting behind it and have been quietly expected to intuit information governance on their own. None of us were taught this, including most of the adults reading these words now, and this is one of the parts of school technology that schools and families are still learning together.

What is worth saying clearly this week

A school email is for school, and not for gaming, shopping, social media, or signing up to apps and platforms that have nothing to do with learning, because every one of those external sign ups is a small private door that ties back to the school’s identity system, and every one of those doors will eventually be tested by someone.

Strong, unique passwords across every account, with two factor authentication switched on wherever it is offered, are no longer a luxury for tech savvy families, they are simply the seatbelt of modern digital life and they belong on every account that matters.

Unexpected emails referencing the school, the platform, the breach itself, or any verify your account request should be treated with healthy suspicion, because the phishing wave that follows breaches like this one is predictable, well-resourced and tailored to look plausible to the people who are already busy and tired and trying to do the right thing.

The rule of thumb worth teaching every child and every staff member is simple:

If a message creates urgency, slow down, because urgency is the engine of almost every successful attack. And if anything looks odd, the right move is to report it inside the school first, before clicking, before forwarding, and before deleting.

The harder conversation is one we are all in together

Cybersecurity in education has quietly become a board level issue, and our governance frameworks, like everyone else’s across every sector, are still catching up to that reality. It now sits squarely inside operational risk, child safety, duty of care, business continuity and reputational management, and it is no longer something that can sit with school IT teams alone, who in most schools are already stretched thin and doing extraordinary work with very limited resources.

The decisions about which third party platforms to procure, what data those platforms can access, how that access is reviewed, and what is supposed to happen when one of them is breached, are leadership decisions that affect children, and they deserve the same scrutiny that a school excursion risk assessment receives, and arguably more, because the digital footprint a child carries out of a school is far larger and far longer lived than any physical one. Schools cannot carry this on their own, families cannot carry it on their own, and platforms will not carry it without sustained pressure from everyone else at the table.

None of this requires fear-based messaging. Panic is the laziest tool in the toolbox, and it almost always backfires, especially with parents who are already carrying more than they can comfortably hold. What works, in classroom after classroom and staffroom after staffroom, is calm, repeated, plain language education, year round, anchored in real examples, and delivered without judgment of children, of parents, or of the schools that are absorbing more digital risk every year while still being expected to teach reading and writing and everything in between.

The work, as it has always been, is to keep teaching the human skills that the technology will not teach itself:

•       Pause before you click.

•       Ask before you sign up.

•       Tell someone if it feels wrong, and remember that the platform is not your friend, but the school very much is, and so is speaking up and asking for help.

If you would like to work with us with regard to onsite education, policy and governance, or advice, please reach out hello@safeonsocial.com

If you’ve made it all the way to the end, thank you. These pieces take time (usually more than I ever expect), a lot of reading, and a fair bit of quiet thinking to turn complex policy and law into something that actually makes sense in real life. If you find this work helpful, grounding, or even just a little clarifying, subscribing is a simple way to support it. It helps me keep doing this slowly, carefully, and without rushing past the details that matter. No pressure, ever. But if you’d like to be part of keeping this kind of work going, you can choose from the options you will see when you click here