Third-party SaaS risk for schools

Last updated 9 May 2026.

The ShinyHunters attack on Instructure is a textbook supply-chain breach. Schools using Canvas had no compromise of their own infrastructure. The attacker reached the data by compromising the vendor running the platform. Roughly 9,000 institutions felt the impact (Source: BBC News, 9 May 2026).

This pattern is now the dominant breach vector for schools. Direct attacks on a school on-prem network are rare. Indirect attacks via the SaaS vendors handling SIS, MIS, learning platforms, finance, payment processing, and parent communications are the new normal.

Most schools underestimate this number. A typical secondary school in 2026 has between 20 and 60 SaaS vendors with some level of access to student data. Common categories:

• Learning platform (Canvas, Google Classroom, Microsoft Teams Education)
• Student information system (SIMS, PowerSchool, MyEd, Edsby)
• Finance and payments (ParentPay, SchoolCloud, ParentMail)
• Communications (parent email, text, push)
• Wellbeing and safeguarding (CPOMS, MyConcern)
• Library and resource platforms
• Cloud storage and collaboration
• Single sign-on / identity provider
• Cybersecurity tooling itself

Each is a potential breach path. Each has its own update cycle, its own credential model, its own data handling.

You do not need an enterprise GRC team to do this well. Start with a four-step programme:

1. Inventory. List every SaaS vendor with access to student data, parent data, payment data, or staff credentials. A spreadsheet works for under 50 vendors.
2. Tier. Critical (handles bulk PII or finance), Important (limited PII or operational), Nice-to-have (low data exposure). Tier dictates review depth.
3. Assess. For each Critical vendor, document their last SOC 2 / ISO 27001 status, their breach history, their data residency, their incident notification SLA. AI-driven platforms like Panorays automate this for vendors above a certain size.
4. Monitor. Subscribe to vendor security advisories, set up Google Alerts on each Critical vendor name plus "breach", and review each quarter against your tier list.

Time cost: roughly two days per term once the inventory is built.

Five questions that flag a vendor with weak posture:

• "When was your last third-party penetration test, and can we see the executive summary?"
• "What is your contractual notification time for a breach affecting our data?"
• "Where does our data physically reside, and which sub-processors have access?"
• "Do you encrypt data at rest with keys we cannot decrypt and you cannot decrypt without our involvement?"
• "What is your data deletion procedure when we offboard?"

A vendor who cannot answer in writing within a week is a vendor whose breach you are insuring against with no premium reduction.

Two specific products materially shrink supply-chain risk for schools:

• Panorays for vendor risk monitoring. Continuous external attack-surface scanning of every vendor on your list, with AI-driven autonomous questionnaires that surface the laggards without your team chasing replies.
• BlackFog for anti-data-exfiltration on your own devices. Even when a vendor breach pulls data sideways, BlackFog prevents your own staff and student devices from being used as the exfiltration channel for follow-on attacks.

Paired with a single-platform AI-native stack such as Coro, the school covers the basics, the supply chain, and the device perimeter without cobbling together five separate tools.