Data Breach at Infinite Campus Affects 137,000 School Employees

A cyberattack on the widely used student information system Infinite Campus has affected the personal data of more than 137,000 school employees. The ShinyHunters ransomware group conducted the attack in March 2026, stealing information related to the affected accounts. The security breach was revealed in a comprehensive investigation of the incident. The ShinyHunters group is known for its attacks on various companies and institutions. In this case, they targeted the Salesforce platform used by Infinite Campus to manage student data.

The stolen data includes personal information that could be misused for identity theft and other criminal activities. Following the incident, several educational institutions and school districts have taken measures to enhance the security of their systems. These measures include reviewing security protocols and training staff on how to handle cyber threats. Experts warn that such attacks on educational institutions may increase in the future, as they often have inadequate security measures in place. The affected school employees have been informed about the incident and advised to monitor their accounts.

Authorities recommend regularly changing passwords and utilizing additional security measures such as two-factor authentication. The response to the incident highlights the importance of implementing proactive security strategies. Investigations into the incident are still ongoing. Security researchers are analyzing the methods used by the attackers to breach the system. The exact manner in which the ShinyHunters group exploited the vulnerabilities is still under investigation to prevent future attacks.

The Infinite Campus platform is used by numerous schools in the United States, significantly amplifying the impact of the attack. The security breach not only affects the impacted employees but also students and their families, as the security of their data may also be compromised. School administrations are under pressure to ensure the security of their systems and to regain the trust of parents and students. The ShinyHunters group has previously conducted similar attacks on other platforms, underscoring the need to strengthen security measures in the education sector. These incidents have led to increased awareness of cyber risks in schools, and many institutions are now reviewing their security strategies and policies.

Incidents also have legal consequences for the affected schools and the Infinite Campus platform. Lawsuits from affected employees and possibly from parents concerned about their children's safety are expected. The legal actions could have far-reaching implications for the future use of student information systems. The vulnerability that led to this incident may be classified as CVE-2026-XXXX, with the exact CVE number yet to be determined. The security community is working to identify and address the vulnerabilities to prevent similar incidents in the future.

The Infinite Campus platform has announced that it is working closely with authorities to improve security and support affected users. The platform plans to review and update security protocols as necessary to ensure data integrity. However, a timeline for implementing these measures has not yet been disclosed. The incidents highlight the challenges educational institutions face in the digital age. The need to invest in robust security solutions is becoming increasingly urgent to protect the sensitive data of employees and students. The Infinite Campus platform is expected to provide comprehensive security updates by the end of June 2026.