American classrooms are becoming one of the fastest-growing frontiers for cyber risks as the evolution of AI makes it easier for malware to easily leak into school-wide networks. In this context, EdTechs are scrambling to improve security guardrails and protect student information.
In May, Instructure's Canvas platform reported a massive cyberattack linked to the notorious hacking group ShinyHunters. The move compromised over 275 million records across 9,000 schools worldwide, becoming one of the largest education-sector data breaches in history.
Other platforms that rely on cloud-sync technologies could also pose risks for school cybersecurity, as real-time sync can easily spread malware through entire systems and give hackers access to sensitive student information. Most of these platforms will sneak in through simple gestures, such as cookies or allowing tracking in between apps.
These situations are increasingly becoming more common across schools in the US, causing distress among parents and teachers as to how they can better protect their children from online risks.
Why Schools Have Become Prime Targets
As digital learning revolutionizes traditional education, schools are increasingly relying on third-party platforms and online resources to maximize student learning; however, most of these platforms rely on cookies and APIs that need access to databases and sensitive information, allowing malware to leak inside networks.
The networks and platforms are now so interconnected that a single flaw in the system can put an entire school district at risk. Features like live sync, single sign-on, shared accounts, and learning platforms' permissions provide easy access for hackers into student data.
Charlie Sander, CEO of ManagedMethods, a cybersecurity platform focused on K-12 school systems, says schools no longer function inside "a neat, closed network" and the usage of different tools, while helpful for learning, expands the attack surface for hackers. Most schools, he said, lack the tools to control them.
"The Canvas incident is just one example of the risk. A vendor platform used across many schools can become a single point of exposure for thousands of districts and institutions. Unfortunately, this is what makes edtech vendors particularly attractive to attackers. Even when educational institutions have strong internal controls, they have very little visibility into how a vendor secures its own environment, how third-party integrations are managed, whether every account has MFA, or how quickly suspicious activity is detected and contained," Sanders told International Business Times.
The AI Dimension
As schools and the education system overall adopt AI-powered tools, cybersecurity experts and child safety advocates warn that educational technology is entering unknown territory.
Modern AI tools can process speech patterns, adapt lessons, explain information in-depth, and read learning patterns among student cohorts. While efficient, the features rely on large amounts of data and require access to children's sensitive data. And in order for AI usage inside classrooms to be actually safe, the responsibility should fall on answerable parties, not the children themselves.
Ivan Crewkov, CEO of Buddy.AI, a voice-based AI tutor designed for children aged 3 to 8, says many companies are still struggling to meet baseline privacy standards for minors.
Under the Children's Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13, maintain strict privacy safeguards, and limit how long data can be stored.
"Very few AI companies aimed at children obtain COPPA compliance because they're built on top of large public models and therefore lose control over the data," Crewkov told International Business Times.
Platforms such as Buddy require parental consent before use, and personally identifiable information (PII) is deleted after each session as part of their data protection practices.
Unlike general-purpose chatbots adapted for children, these systems are typically designed around structured educational frameworks that include planned sessions, defined learning topics, and progress tracking. In this model, the language model functions as one component within a broader instructional system rather than as a standalone product.
The rapid growth of AI in education has also created a new tension for developers: the same personalization that makes AI tutors effective often depends on collecting and remembering student information. Both Sanders and Crewkov maintain that meaningful learning experiences do require memory and adaptation, but these should be built around privacy protection, rather than data collection by itself.
The AI panorama is now based around accountability rather than just innovation; voice recordings, behavioral data, learning patterns, and conversational histories can create detailed digital profiles of children long before they are old enough to understand how that information may be used in the future.
The recent incident with Instructure's Canvas has already risked the online safety of over 270 million students in the US, and unfortunately, this is not an isolated case.
At the beginning of 2026, PowerSchool, one of the most widely used Student Information Systems (SIS) in North America, suffered a major data breach. Security experts noted that the breach occurred because of a failure to secure basic entry points, leaving school systems exposed to hackers and leaving over 2.7 million students affected.
This is not an issue with just technology itself; it is a matter of how these online tools use automation and data entry in a way that keeps children safe and provides visibility for IT teams and parents to prevent data breaches.
The AI Revolution
In order to actually mitigate the risks of AI usage inside classrooms, AI literacy and educating students and educators on how to properly protect their data inside these apps are also essential.
Since many popular and helpful tools have not yet implemented proper data security guardrails, students must know how to identify suspicious activity inside these platforms and which permissions are safe to grant.
There are now some platforms, such as IvySchool.ai, that offer AI safety courses promoting tech literacy before delving into AI learning and using chatbots for skills development.
Experts say schools must also educate children on issues such as misinformation, deepfakes, online manipulation, and the risks of sharing personal information with conversational AI systems. Students should know how to navigate the AI ecosystem properly without compromising their privacy and safety.
Jonathan Selby, Technology Vertical Lead at Founder Shield, a risk management firm for venture-backed businesses, says many EdTech companies remain vulnerable to what he describes as "side door" security failures; low-friction onboarding systems, poorly monitored integrations, and teacher-facing accounts that can bypass stricter security controls. This is where Canvas failed and left a severe security breach.
"We're seeing more and more insurers adopt Zero Trust architecture and require centralized security reviews of all third-party integrations. We're also seeing a 'Risk Operations Center' (ROC) requirement, in which insurers reward companies that use AI-driven behavioral analytics to spot bot-like patterns or 'ghost students' in real time," Selby told International Business Times. "If an EdTech company cannot demonstrate active governance over how AI interacts with its data layers, it is either seeing excluded coverage or premiums that reflect the high-risk reality of the 2026 threat landscape."
Once student names, teacher communications, or school data are exposed, attackers can use AI tools and large language models to automate highly personalized phishing campaigns targeting students, parents, and educators.
Together, the changes reflect a larger reality confronting modern education: protecting children in the age of AI is no longer simply a technical problem for school IT departments to solve. It is becoming a question of governance, accountability, and whether the institutions shaping the next generation are prepared to safeguard not only how students learn, but the digital identities they will carry for the rest of their lives.
