Kyanite Blue
Threat Intelligence

EdTech Supply Chain Attacks: How Vendor Breaches Expose UK Schools and Universities

The 2023 MOVEit vulnerability — exploited by the Clop ransomware group — demonstrated that EdTech supply chain risk is not theoretical. Universities and schools globally that used MOVEit for managed file transfer found sensitive institutional data exfiltrated without any direct attack on their own systems. Combined with the Pearson breach (2018, disclosed 2019, US enforcement 2021) which exposed UK school student assessment data, and the Capita data breach of 2023 which affected the University Superannuation Scheme (USS) and other education sector organisations, it is clear that EdTech vendor security is now a critical concern for any education institution holding pupil or student data.

MOVEit vulnerability 2023: universities globally had data exfiltrated via a trusted file transfer platform they did not directly control. Capita breach 2023 affected University Superannuation Scheme (USS).

The EdTech Supply Chain: What Schools Are Sharing

UK schools and universities typically share personal data with dozens of EdTech vendors — far more than most governing bodies realise. Common categories include:

  • Student information systems (MIS): Arbor, SIMS, iSAMS — holding complete pupil records
  • Learning management systems: Google Classroom, Microsoft Teams for Education, Canvas
  • Assessment platforms: exam board systems, adaptive assessment tools like AIMSweb (Pearson)
  • Communication platforms: ParentMail, School Gateway, Seesaw
  • Finance and HR systems: payroll providers, ESFA reporting platforms
  • Managed file transfer platforms: MOVEit and similar tools used for data exchange with local authorities

MOVEit: A Case Study in Third-Party Risk

The MOVEit vulnerability (CVE-2023-34362) was a SQL injection flaw in Progress Software's MOVEit Transfer platform, exploited by the Clop ransomware group in a mass exploitation campaign in May and June 2023. Organisations that used MOVEit — including universities, NHS bodies, and government agencies — had data exfiltrated before patches were available. The attack required no credentials and no user interaction — simply having the vulnerable platform internet-exposed was sufficient. This is the defining characteristic of supply chain attacks: the school or university's own security posture is irrelevant. The vulnerability was in a platform they trusted and used, over which they had no direct security control.

Capita Breach and the University Superannuation Scheme

The Capita data breach of 2023 affected multiple organisations that used Capita's managed services, including the University Superannuation Scheme (USS) — the pension scheme for UK university academic and professional staff. Personal data belonging to USS members was among the data potentially accessed in the breach. Capita confirmed that data left in an unsecured Amazon S3 bucket was accessible for a period. The incident highlighted that outsourcing to large managed service providers does not eliminate supply chain risk — it concentrates it.

How Schools Should Manage EdTech Vendor Risk

Under UK GDPR, schools remain the data controller for pupil data shared with vendors. Practical steps for managing EdTech supply chain risk include:

  • Maintain an inventory of all EdTech vendors processing personal data
  • Ensure Data Processing Agreements are in place with all vendors
  • Review vendor security questionnaires or certifications (Cyber Essentials, ISO 27001, SOC 2)
  • Monitor vendor security disclosures — subscribe to their security bulletins
  • Minimise data sharing — only share the data each vendor actually needs
  • Audit vendor access — revoke access promptly when vendor relationships end
  • Include cybersecurity requirements in procurement processes for new EdTech tools

Frequently Asked Questions

Who is responsible if an EdTech vendor suffers a data breach affecting pupil data?

The school or university remains the data controller and bears primary accountability to the ICO under UK GDPR. However, if the breach was caused by the vendor's failure, the vendor (as data processor) may also face ICO scrutiny. Schools can seek contractual remedies against vendors for breach of Data Processing Agreement terms — but this requires having adequate DPA terms in place before the breach. Schools should always have written DPAs with EdTech vendors before sharing any personal data.

How can schools assess the security of EdTech vendors?

Ask vendors for evidence of security certifications — Cyber Essentials, ISO 27001, or SOC 2 Type II. Review their privacy policy and data processing terms. Ask where data is stored (UK/EEA or third countries). Ask about their incident response procedures and how they would notify you of a breach. For significant vendors processing sensitive data, a security questionnaire sent during procurement provides a documented baseline. Panorays automates third-party risk assessment across your vendor portfolio.

What should schools do if an EdTech vendor notifies them of a breach?

Assess immediately whether personal data of pupils, staff, or parents was involved. If so, determine whether the breach is likely to result in risk to individuals — if yes, notify the ICO within 72 hours. Notify affected individuals if the risk is high. Review your Data Processing Agreement to understand the vendor's breach notification obligations. Document all steps taken. Review whether the vendor relationship should continue, given the breach circumstances.

Assess your EdTech vendor security posture

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides