What the Infinite Campus Breach Reveals About School Data Risk
A March 2026 breach at Infinite Campus targeted an internal CRM, not the student database. Infinite Campus serves 11 million students across 46 states.
On March 25, 2026, a data extortion group called ShinyHunters posted what it described as a “final warning” on its dark web site. The target was Infinite Campus, a student information system used by 3,200 school districts to manage records for roughly 11 million students across 46 states. The group claimed to have stolen personally identifiable information from Infinite Campus’s systems and gave the company a deadline to make contact and negotiate a ransom. Infinite Campus said it wouldn’t engage with the attacker.
This could have been significantly worse than it was. Understanding why it wasn’t is the useful part of this story.
What happened
The breach began on March 18, 2026. An unauthorized actor gained access to an Infinite Campus employee’s Salesforce account. Salesforce, in this context, wasn’t the student information system itself. It was Infinite Campus’s internal CRM (customer relationship management platform), used for case management, ticketing, and customer support correspondence. The company detected suspicious activity the same day, disabled the compromised account, and launched an investigation. The period of active unauthorized access lasted 38 minutes.
ShinyHunters escalated anyway. The group had access to Salesforce records, and it used that leverage to demand payment. Infinite Campus’s investigation concluded that no customer databases were accessed and that the data potentially exposed consisted of staff names and contact information, much of which is already publicly listed on school district websites. The company notified potentially affected districts and began scanning its Salesforce environment for any data that might have been accessed or exfiltrated during the 38-minute window.
Infinite Campus also disabled certain customer-facing services for accounts that weren’t connecting via IP address restrictions, a precautionary step to limit any further risk while the investigation continued. The company stated publicly that it would not pay the ransom and declined to engage with ShinyHunters.
ShinyHunters is a well-documented threat actor. Security researchers and journalists at BleepingComputer, Cybernews, and other outlets have tracked the group’s activity over several years. The group was involved in the 2024 data theft from Snowflake customer accounts that affected Ticketmaster, AT&T, and a number of other large organizations. Their pattern in recent incidents has been to compromise a credential or account at a target company, extract available data, and use the threat of public exposure as leverage for payment.
Why it matters
The outcome here was comparatively good. Staff contact information is not the same as student academic records, disciplinary files, health data, or the kind of personally identifying information that enables identity theft. Infinite Campus is one of the most widely used K-12 student information systems in the country, and the actual student database wasn’t touched. That’s the important fact.
But the attack structure is worth examining. ShinyHunters didn’t accidentally stumble onto Infinite Campus. The group targeted a company specifically because that company holds, or is believed to hold, sensitive data on millions of children. The Salesforce CRM was a path toward something they expected to find. What they found there wasn’t as valuable as what they were apparently looking for, but the decision to target Infinite Campus reflects an accurate assessment of the data available in its core systems.
What Infinite Campus’s student information system actually contains is worth spelling out. School SIS platforms like Infinite Campus manage student names, dates of birth, home addresses, parent and guardian contact information, enrollment history, attendance records, grades, test scores, disciplinary records, IEP and special education designations, and in some districts, health information including immunization records and accommodation notes. This data is protected by FERPA (the Family Educational Rights and Privacy Act), which restricts who can access it and what it can be used for, but FERPA is a notification and access-control law, not a breach-prevention standard.
K-12 institutions have become increasingly attractive to ransomware and extortion groups over the past several years. Security researchers at Cybernews and BleepingComputer have documented dozens of attacks against school districts and education technology vendors. Schools often operate with limited IT security budgets and staff, making detection and response slower than in enterprise environments. And the data they hold has real-world value: children’s Social Security numbers, if exposed, can be exploited for years before the victim is old enough to check their credit. The combination of high-value data and comparatively weak defenses is, from an attacker’s perspective, a reasonable calculation.
Concentrating student data for 11 million children across a single vendor’s infrastructure is a practical necessity for the school districts that use it. Running a student information system requires centralized data. But it also means that the security posture of one company, and the individual decisions of its employees (like an account accessed by ShinyHunters through a compromised employee credential), effectively determines the exposure level for those 11 million students. That’s not an argument against using SIS platforms. It’s an argument for understanding that the risk profile of a breach at a company like Infinite Campus is categorically different from a breach at a company with ordinary business data.
What this means for parents and school staff
For parents, this particular incident doesn’t require any action. Infinite Campus has stated that student records weren’t accessed, and that determination appears to be supported by the forensic investigation. There’s no indication that children’s personal information was exfiltrated.
The more durable question is what data your child’s school district shares with which vendors, and what those vendors’ security practices look like. Most school districts publish data privacy policies that list their approved technology vendors, often in response to state student privacy laws that require this disclosure. Those lists are worth reading. The vendors on them have varying security standards. An edtech company that processes quiz data is a different risk profile than one that holds enrollment records, but both appear on vendor lists.
For school staff, the Infinite Campus incident serves as a reminder that credential hygiene matters even in support systems that don’t appear to hold sensitive data directly. The Salesforce instance that ShinyHunters accessed wasn’t a student database. But access to customer support records can still yield useful information about district configurations, open security tickets, and potentially credential data for other systems. Accounts used in customer-facing and support roles deserve the same multi-factor authentication and access controls as core operational systems.
School communications with parents often involve signing consent forms and permission slips digitally. When schools use third-party platforms to manage that process, those platforms are another vendor in the data supply chain. Signing those documents locally, using tools like Signegy’s browser-based PDF signer or your device’s built-in PDF tools, keeps your signed document off an additional vendor’s servers. That’s a smaller concern than the SIS data discussed above, but for parents who are thoughtful about minimizing their family’s digital footprint, it’s worth noting.
Where things go from here
ShinyHunters’ threat to leak Infinite Campus data appears not to have materialized in the weeks following the March 25 deadline. Absent a confirmed exfiltration and release, the incident is more useful as a case study than a crisis. But the targeting decision reveals something real about the threat landscape for education technology companies.
The question that will shape K-12 data privacy over the next several years is less about any single breach and more about the structural model. Student information systems are necessarily centralized, which creates necessary concentration risk. Regulatory frameworks like FERPA haven’t kept pace with the scale of what’s now being stored and the sophistication of groups targeting it. DataBreaches.net and the K12 Security Information eXchange (K12 SIX) have both tracked the growing frequency of attacks against education technology vendors. Neither Infinite Campus’s response nor the outcome of this particular incident is the story. The pattern is the story.
Any parent or educator who wants to understand the full scope of what school technology vendors hold should request a copy of the district’s data privacy agreements under applicable state law. Most states with student privacy legislation (California, Colorado, New York, and others) provide parents a right to see what data is collected and shared. Exercising that right is one of the few practical tools available for understanding, if not controlling, how extensively children’s data is distributed across the education technology ecosystem.