How damaging can this really be?
On PowerSchool, Canvas, and the assumption that student data doesn’t matter.
When Canvas made the news earlier this month, I found myself thinking about PowerSchool.
Not the breach itself, but the conversations that followed it.
I spent time in the weeks after PowerSchool talking to parents, teachers, and administrators. People who worked in schools. People who cared deeply about students. Good people who looked at what had been leaked and arrived, independently, at the same place. Names. Addresses. Some grades. Emergency contacts. A few medical notes. And then the question, sometimes asked directly and sometimes just sitting in the air: how damaging can this really be?
I didn't have a clean answer in the moment. I think I do now.
That question rests on an assumption. Student data is thin. That's not a technical term. It's just how people seem to feel about it. That a name and an address and a grade and a medical note are small things. Individually harmless. Not the kind of information that changes a life. Wrong. Not because any single field is dangerous. The problem is that that information doesn’t stay in the fields you put them in.
A student's name. Their school. Their year group. Their home address. Their medical accommodation. Their parents' names and contact details. Their attendance patterns. Their counsellor's notes. Their private messages to a teacher about something they were struggling with. None of those things look sensitive on their own. Together they are a detailed profile of a child and everyone around them. Where they live. What they struggle with. Who to call in an emergency.
And that profile doesn't expire when the student graduates.
The mosaic effect is the concept intelligence analysts use for this. Individually harmless pieces of information, combined, reveal something that none of them could reveal alone. The same principle applies here. Different target. Longer time horizon. A child who has no idea the profile exists. The harm isn't in a hurry. It's patient. A child's data is more valuable because of how long it can be used before anyone notices. Experts who study child identity theft are clear about this: a child's clean credit history is the asset. The younger the child, the longer the window. The fraud surfaces years later, when that child applies for a loan or a rental and finds their credit history already ruined. That harm doesn't connect back to the original breach in any way the child can trace. We don't count it. We keep concluding that student data is thin.
Canvas happened two weeks ago. Instructure confirmed that the entry point was a Free-For-Teacher account — a no-cost account type commonly used outside enterprise-managed environments. No 2FA. A door that was open because nobody decided it needed to be closed. A teacher had created an account outside IT oversight. This is a reasonable thing to do. The tool was useful. But the account sat there, unmanaged, outside the school's controlled environment, holding data nobody was watching. It was the same failure that opened the door at PowerSchool. ShinyHunters claimed to have accessed data from 275 million users across nearly 9,000 institutions. Those figures come from the attackers and haven't been fully verified. The confirmed breach is serious enough on its own.
Schools are among the largest generators of student data in the world. Every platform decision, every free tool a teacher signs up for, every classroom account, every learning management system. The edtech revolution moved fast. The data accumulated quietly with every permission click, every free account created to solve a problem in the classroom. The child at the centre of this has no visibility and no meaningful consent. Children can't meaningfully consent to any of this. Most of them don't know it's happening. Many of the adults making the decisions don't fully know either.
We know this, but we haven't built our systems around it. The frameworks that shape what students learn don't address this.
The IB has moved in the right direction. The DP Digital Society course covers privacy, security, and digital ethics. It's a genuinely good course. But it's an elective. A student can complete the full IB Diploma without ever encountering it. In the MYP, information literacy appears as an “Approach to Learning” skill. It means finding and citing sources. Not understanding what happens to a student's data once they've logged in.
To sit AP exams, students must create a College Board account. The mandatory fields are basic. Name. Home address. Date of birth. Then the registration flow prompts them for more. Phone number. Race. Parent education level. Parent contact details. Whether those fields are optional or not, a teenager under testing pressure doesn't stop to ask. They just fill in the boxes. The IB requires equivalent information for exam registration. Date of birth. Place of birth. The student rarely even enters this data. The school hands it over on their behalf. It becomes a permanent record. Students cannot just log in and delete it. They must petition the organisation directly.
These are not edge cases or oversights. They are the standard operating conditions of the two most widely used international curriculum frameworks. Students are generating data profiles as a condition of accessing their education. The frameworks don't teach them this is happening. The curriculum isn't built to ask the question.
That record doesn't stay in the school's system. It combines with everything the child produces outside of it. Together they feed the systems that decide what a child sees, what they're sold, and what they're offered. This happens during the years when none of it is visible to them. When the brain is still deciding what the world is like. When what they repeatedly encounter shapes what they believe is possible.
We teach students about fire safety through repeated drills. We teach emotional regulation with dedicated frameworks and trained staff. We've built mandatory, resourced, rehearsed systems for physical risk to children. Safeguarding doesn't wait for harm to occur. It assumes the potential is real and builds accordingly. Nobody argues that safeguarding protocols are excessive because the school hasn't had an incident yet. The potential is enough. That's the whole point of the framework.
Student data deserves the same reasoning. When your school last reviewed its safeguarding procedures, who was in the room? When it last talked seriously about data protection, who was in that room? If the answer is different, that's where the work is.