With a holiday tomorrow and summer well underway, I’m keeping it short this week. ShinyHunters is back in the news, this time for breaching Oracle PeopleSoft so let’s talk about what this means for higher education. I close with three Sparks: stories from Some College, No Credential students, new grads go to work, and ED moves some responsibilities to another department. 

ShinyHunters Strikes Again 

From Colleges hit in cyberattack by group behind Canvas breach, Google says 

ShinyHunters appears to have breached Oracle’s PeopleSoft software suite. 

Our Thoughts  

So, last month, ShinyHunters took down Canvas (twice!), and I wrote about the problems with this in Issue 106. Then, this month the same group went after Oracle PeopleSoft, and of the hundred-plus organizations Google's Mandiant team flagged as exposed, roughly 68 percent were colleges and universities. Most of the coverage seems to report the story as an IT, patch-your-servers problem, but that framing misses the actual overarching concern—the concentration of higher education data with a handful of ed tech vendors.  

Before coming to Evisions, I spent almost a decade in the registrar’s office in various roles until I eventually became a registrar. This is to say I spent a good chunk of my career as the person ultimately responsible for the student information system. So, when one flaw in a vendor’s product exposes student records at dozens of institutions at once, I don't read it as a story about a single company's bad month. I read it as a story about how completely we have consolidated the most sensitive data in higher education into a handful of platforms that sit underneath thousands of campuses, and what happens when someone works out that the fastest way into all of them is to break into one of them.  

Yes, security is challenging, and this piece is not meant as an attack on Oracle (or even Instructure). With the increased use of AI, cybersecurity is quickly becoming an important product feature. However, by consolidating our data in a handful of pipes, we are opening ourselves up to single points of failure for our most sensitive data.   

What bothers me most, though, is the vendors making decisions without input from their clients.  After the Canvas breach hit a platform that runs at roughly 41 percent of North American campuses, Instructure paid the ransom, against the FBI's standing guidance and the judgment of nearly every security professional who weighed in, and it made that call on behalf of every institution on the platform. The data belonged to our students. The FERPA obligations belonged to our institutions. The decision about how to respond belonged entirely to the vendor. I’m not sure we even realized what we were trading away as we moved to SaaS vendors.   

Even when campuses follow all of the appropriate security protocols, their data may be exposed anyway. For example, Oracle didn't publish its advisory until June 10, a day after the stolen data was already posted to the leak site, which means the vulnerability was a live zero-day the whole time. There was no patch to apply, because the people who could write the patch hadn't admitted the hole existed yet. You can run a flawless security program and still get breached through a product you bought in good faith from a vendor you have no way to see inside of. The black box doesn't have to be an algorithm to do real damage. 

With all that being said though, I get it. Running your own infrastructure is expensive, and hiring the people to secure it properly is more expensive, while a hosted platform is cheaper and somebody else's problem right up until it isn't. So, my recommendation before the fall term starts is to look at what data is held by each vendor you have. Then look at your contracts to see what obligation the vendor has when, not if, a breach happens: who notifies whom, on what timeline, and who gets to decide whether a ransom gets paid. Ask the third-party risk questions now, in writing, while this breach is fresh and everyone is motivated to answer them. It feels like the breaches will keep coming (especially as AI continues to develop), so control the parts of the experience you can before the next one lands.  

Sparks

• Some college, no degree: the Americans who find it impossible to graduate (The Guardian) - Told through the stories of former students, Rachel Bujalski looks at what happens to students who start college but never finish. I’ve written about this before, but adding student stories makes it personal. The fact that 43.1 million Americans fall into the Some College, No Credential population is a story that deserves more media coverage.
• What does the class of 2026 want from their post-grad jobs? (Higher Ed Dive) - According to a new survey from the National Association of Colleges and Employers, recent grads are looking for a strong start with employers who support their professional development. I wish the best of luck to the class of 2026 as they enter this job market!
• ED Shifts Some Civil Rights Enforcement to Justice Department (Inside Higher Ed) - The Department of Education has moved some investigations to the Justice Department, stating the move will not impact students, but advocacy groups disagree. We’ve discussed the dismantling of ED before, and again, whether I agree or disagree, the proper path for removing the department is through Congress.