Why schools became the top ransomware target in 2026

Last updated 9 May 2026.

The Canvas / Instructure breach attributed to ShinyHunters in May 2026 affected roughly 9,000 institutions. The Jaguar Land Rover attack in 2025 attributed to the same group ran into hundreds of millions of pounds of impact. Across 2024 and 2025, schools and universities consistently ranked among the most-attacked sectors globally (Source: BBC News, 9 May 2026; sector trend data tracked by NCSC, ACSC, CISA in their annual reports).

This is not a coincidence. It is a target choice based on four factors that all favour the attacker.

A typical secondary school holds records on hundreds to thousands of children: names, dates of birth, addresses, parent contact details, payment information, safeguarding notes, special educational needs assessments. Universities expand the scope to financial aid records, immigration data, and intellectual property.

This volume and variety of personal data is exactly what makes credentials, identity-fraud kits, and targeted phishing valuable on the dark web. A school is, in attacker economics, a small healthcare network without the matching defensive budget.

A 1,500-pupil secondary school in the UK typically has one to three IT staff covering everything. A multi-academy trust covering 30 schools may have a central team of five to ten. Compare that to a finance company of similar revenue size: a dedicated SOC, full-time security headcount, and a budget tens of times larger.

The attacker knows the maths. The defensive constraint at most schools is human time, and AI-volume attacks are designed precisely to overwhelm that constraint.

Schools depend on dozens of SaaS vendors handling student data. The Canvas breach showed how a single vendor compromise cascades to 9,000 institutions in days. The school does not need to be hacked directly. Any of its SaaS vendors going down is enough.

Attackers have noticed. Vendor compromise is a more efficient attack than school-by-school targeting; one successful breach hits thousands.

School leadership operates on a calendar dictated by exam cycles, term boundaries, and parent communication windows. A vendor going down mid-exam puts pressure on leadership to restore service fast, which historically has correlated with higher payment rates.

The Canvas breach landed in the final exam window across multiple time zones. That timing was not random.

Three layers, each catching attacks at a different stage:

• AI-native endpoint and email (Coro for unified, ESET for lightweight). The 2025 to 2026 generation of AI-generated phishing requires AI-native classification to catch reliably.
• Continuous attack surface monitoring (Hadrian). Surfaces credential leaks and exposed assets before attackers do.
• Anti-data-exfiltration (BlackFog). The data-leak phase that precedes payment demands cannot complete if exfiltration is blocked at the device.

Deployed end to end this stack runs roughly £20 to £60 per device per year, materially less than the average breach response cost in the UK education sector (Source: NCSC sector reports).