Two PE Firms. Two EdTech Breaches in a Row.

Introduction

Two of the biggest educational data breaches in history happened on private equity's watch. KKR took Canvas's parent private for $4.8 billion in November 2024. Bain Capital paid $5.6 billion for PowerSchool the same fall. PowerSchool was breached three months after closing — December 2024. Canvas followed 18 months after its deal — May 2026. Both companies quietly paid ransoms. Bloomberg Law reports nearly 50 million K-12 students and teachers had data stolen from PowerSchool; ShinyHunters claims 275 million records from Canvas. Nobody on either platform got to vote on who their data was going to live with.

How KKR Bought Canvas

KKR closed its $4.8 billion acquisition of Instructure on November 13, 2024, taking the company private at $23.60 per share, a 16% premium over the unaffected price. CEO Steve Daly stayed in place. Thoma Bravo, which had taken Instructure private in 2020 and re-IPO'd it in 2021, sold its roughly 84% stake.

The press release reads like every other PE acquisition of a mission-driven platform. KKR Partner Webster Chua talked about working with Daly's team to "accelerate growth and continue scaling." KKR said it would "support Instructure as it increases investment in technology and innovation." No dollar amount earmarked for security, no incoming CISO named, just the commercial goal of doubling Instructure to $1 billion in revenue by 2028.

Going private also meant Instructure walked away from public-market disclosure: no more quarterly earnings calls, no more 10-K filings spelling out material risks to investors. The people who would have asked hard questions about security posture stopped getting an invite. The only party still watching was KKR, whose stated incentive was margin expansion and a profitable exit in three to five years.

The Five Days That Made It a Pattern

Walk the timeline. ShinyHunters first got into Canvas systems on or around April 25, 2026. Instructure detected the intrusion on April 29, publicly disclosed it on May 1, and on May 2 the CISO declared the incident "contained." By May 6, the company was saying the platform was secure and that "no evidence" pointed to compromise of passwords, financial data, or government identifiers.

On May 7, ShinyHunters defaced the Canvas login portals at roughly 330 institutions including Harvard, Princeton, Stanford, and the University of Pennsylvania, posting ransom demands directly on the screens students were trying to log into during finals week. Krebs on Security quoted security analyst Dipan Mann noting that Canvas's status page briefly labeled the outage "scheduled maintenance" for about 21 minutes before acknowledging the breach. Only after the second attack did Instructure shut down the Free-For-Teacher accounts, the same access pathway exploited in the first breach.

Five days from "contained" to "defaced at 330 universities" is what House Homeland Security Chairman Andrew Garbarino zeroed in on when he sent Instructure a congressional letter on May 11. Garbarino wrote that "the recurrence of an intrusion within days of an initial breach disclosure, and Instructure's apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company's incident response capabilities." He gave Daly a May 21 deadline to brief committee staff. Garbarino cited Canvas's "more than 30 million active users globally," which is Instructure's own number. ShinyHunters claims the actual exfiltration touched 275 million users at 8,809 institutions, a figure Instructure has not confirmed.

What Was Actually in Those Messages

The Free-For-Teacher program let individual educators spin up Canvas accounts without institutional verification. Daly described the failure as "a vulnerability regarding support tickets in our Free for Teacher environment." ShinyHunters got in through social engineering, and Krebs notes the group specializes in voice phishing where they impersonate IT staff. Once inside, they reached well beyond the Free-For-Teacher tier into the broader Canvas environment.

Instructure has confirmed that names, email addresses, student ID numbers, and "some private messages" were compromised. The Texas class action complaint reported by PCMag spells out what "some private messages" actually means: "confidential student communications about illness, disability accommodations, pregnancy, mental health, harassment, bullying, Title IX matters, discipline, grades, financial hardship, housing insecurity, immigration concerns, family emergencies, and safety issues." That's the stuff students put into Canvas messages when they need a medical extension or are negotiating disability accommodations they don't want disclosed publicly. PCMag reports at least 18 federal class action lawsuits had been filed as of May 11.

The disability accommodations thread is worth sitting with. Students send those requests through Canvas instead of a hallway conversation precisely because the channel is supposed to be private. That promise is now retroactively broken for anyone who ever used it.

The Ransom Instructure Won't Name

Instructure paid, but it never used the word "ransom." On May 11 it announced an "agreement" with "the unauthorized actor" that included data returned, "digital confirmation of data destruction (shred logs)," and written assurance that "no Instructure customers will be extorted as a result of this incident." The dollar amount has never been disclosed; unconfirmed reports place it around $10 million, though Wikipedia explicitly tags that figure as "rumors."

The shred logs cannot be verified. Allison Nixon, chief research officer at the cybersecurity firm Unit 221B, told CyberScoop that ShinyHunters "made false statements to victims and to the public in the past." Cliff Steinhauer of the National Cybersecurity Alliance warned that paying "reinforces the economic incentive structure behind cyber extortion." Bitdefender researchers pointed out that the stolen dataset, with real course names, instructor names and student IDs attached, enables "highly convincing" spear-phishing for as long as it exists, which is forever, regardless of what the shred logs say.

Who Benefits

KKR is the first beneficiary, and the mechanism is mechanical rather than malevolent. They paid roughly 7x next-twelve-months revenue for Instructure, a premium that creates structural pressure to grow EBITDA fast enough to justify the price at exit. Security operations are a cost center. Every dollar not spent on security infrastructure improves the short-term EBITDA multiple that determines the eventual sale price.

No documented evidence of specific post-acquisition security cuts exists — but the absence of the opposite is notable: no announced security staffing additions, no public security investment commitment in the deal language. The Krebs reporting describes Instructure-connected systems being probed by ShinyHunters for months before May 2026, including a September 2025 social engineering attack on Instructure's Salesforce environment. Whatever security investment was happening, it wasn't enough to keep the same threat actor out the second time around.

ShinyHunters benefit too. They monetized a supply-chain attack on 8,809 institutions in one operation. For context: AT&T paid $370,000 for the 2024 Snowflake breach. The Canvas ransom, even at the unconfirmed $10 million figure, would be roughly 27x what AT&T paid.

Everyone else on the platform absorbs the downside: students, faculty, IT staff, university administrators, and the federal customers who keep cutting checks. The federal government holds active Instructure contracts with the Army ($665K), the Uniformed Services University of Health Sciences ($213K), and the VA. None of them had a vote in who acquired the platform their data lives on.

The PowerSchool Echo

PowerSchool is what turns this from a hack story into a pattern. The K-12 student information system used by tens of thousands of districts was acquired by Bain Capital for $5.6 billion in late 2024, closing within weeks of the KKR/Instructure deal. That December, a 19-year-old attacker walked into PowerSchool's customer support portal with compromised credentials and no multi-factor authentication standing in the way. Bloomberg Law reports nearly 50 million K-12 students and teachers across roughly 4,700 school districts were affected, with Social Security numbers, birthdates, and medical information all exposed. PowerSchool paid a ransom too.

It's the same playbook: PE firm buys EdTech company, deal closes, attackers exploit a vulnerability the operating company missed or chose not to fix, ransom gets paid, customers and end users find out after the fact. Bloomberg Law notes that Bain Capital, named alongside PowerSchool as a co-defendant in private litigation, has "largely been unable to convince a federal court to dismiss the claims made by individual victims." The legal theory that the PE owner shares liability for the operating company's security failures is surviving motions to dismiss in federal court, and that precedent is now squarely relevant to KKR.

No State Has Left. Here's Why.

The Hinds v. KKR & Co. Inc. complaint, filed in the Southern District of New York on May 8 (No. 1:26-cv-03816), names KKR as a primary defendant. Bloomberg Law reports the complaint alleges KKR "failed to honor its responsibility to protect personal data." KKR declined to comment. There's an FTC template waiting if regulators decide to engage: Illuminate Education, another EdTech company that suffered a breach exposing student academic and health records, agreed at the FTC's behest to implement a full data security program.

No state has terminated its Canvas contract. No federal agency has paused its Instructure procurement. The 41% of North American higher education institutions running on Canvas can't easily switch, because the platform is embedded in course design, gradebook history, single sign-on architecture, and federal compliance reporting. Switching to a competitor takes a year of planning, seven-figure migration costs, faculty retraining, and a disrupted academic cycle. That lock-in is the whole reason KKR paid 7x revenue, and it's the same reason no university board is voting to leave.

The Next Acquisition Has Already Happened Somewhere

The real question this breach raises is who controls critical educational infrastructure when it changes hands between institutional investors, and what their incentives look like when no one's watching. KKR's return model rewards margin expansion over operational investment. The people absorbing the cost had no input into the November 2024 ownership change.

Garbarino's briefing is May 21. The federal class actions will keep multiplying through the summer. Whether the FTC opens the same kind of consent order it imposed on Illuminate Education is what decides whether PE ownership of EdTech infrastructure stays a free-roll bet or starts carrying enforceable downside. The open question is whether the next EdTech acquisition terms include security commitments anyone can actually hold a PE firm to.