Full Report
In the wake of the Infinite Campus data breach, DataBreaches was contacted by several concerned EdTech professionals who weren’t prepared to accept Infinite Campus’s word that there was no sensitive student information in the data tranche. With their encouragement, DataBreaches downloaded the data tranche from ShinyHunters’ leak site and examined it. Most of the files... Source
Analysis Summary
# Incident Report: Infinite Campus Data Leak via ShinyHunters
## Executive Summary
Infinite Campus, a major K-12 student information system provider, suffered a data breach resulting in a data tranche being leaked on the ShinyHunters criminal forum. While the company initially claimed no sensitive student data was involved, independent analysis of a support ticket CSV file revealed the exposure of specific student names linked to sensitive behavioral, disciplinary (arrests), and Special Education (IEP) records. The overall volume of sensitive student data appears low, but the qualitative sensitivity of the exposed narratives is high.
## Incident Details
- **Discovery Date:** Approximately March 25-28, 2026 (Public disclosure/analysis)
- **Incident Date:** Occurred prior to March 25, 2026
- **Affected Organization:** Infinite Campus
- **Sector:** Education Technology (EdTech)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to March 2026)
- **Vector:** Likely credential compromise or vulnerability exploitation (consistent with *ShinyHunters* patterns).
- **Details:** Attackers gained access to internal company files, including proprietary data and support ticket exports.
### Lateral Movement
- **Details:** Access extended to a "data tranche" containing client information, employee-related files, and customer support databases.
### Data Exfiltration/Impact
- **Details:** A data tranche was exfiltrated and subsequently posted to the ShinyHunters leak site. The dump included a `.csv` file containing internal support requests submitted by school district employees.
### Detection & Response
- **Detection:** Discovered via monitoring of the ShinyHunters leak site.
- **Response:** Infinite Campus issued a statement claiming no impact to student data. Independent researchers (DataBreaches.net) audited the data to verify these claims.
## Attack Methodology
*Note: Specific technical details on the breach of Infinite Campus infrastructure were not detailed in the source article, but reflect typical "ShinyHunters" tactics.*
- **Initial Access:** Often involves compromised cloud storage buckets or administrative credentials.
- **Collection:** Gathering of internal documentation, proprietary code, and support databases.
- **Exfiltration:** Transfer of data to external servers for extortion/leaking.
- **Impact:** Data leak leading to reputational damage and exposure of PII/PHI.
## Impact Assessment
- **Financial:** Potential regulatory fines (FERPA/HIPAA) and legal costs associated with investigating specific student record exposures.
- **Data Breach:** Exposure of proprietary files, employee data, and approximately two dozen high-sensitivity support tickets containing student names and discipline/disability status.
- **Operational:** Diversion of resources to incident response and data auditing.
- **Reputational:** High; public contradiction of company "no impact" claims by security researchers.
## Indicators of Compromise
- **File indicators:** `.csv` support ticket exports containing student PII; "Infinite Campus data tranche" on ShinyHunters site.
- **Behavioral indicators:** Unusual access to support database backends or bulk export of ticket history.
## Response Actions
- **Containment:** Infinite Campus reported "no impact" to student databases (implied containment of core systems).
- **Eradication:** Removal of the data from public view (ongoing/attempted).
- **Audit:** Independent review of the leaked file by DataBreaches.net provided a more granular understanding of the exposure.
## Lessons Learned
- **The "Support Ticket" Blind Spot:** Sensitive data often leaks into non-database files (like CSV exports of support chats or emails) when employees copy-paste PII to describe technical issues.
- **Communicative Transparency:** Making early, absolute claims of "no student data impact" can damage credibility if researchers later find even a small number of exposed records.
- **Data Minimization:** Employees should be trained to use "Person IDs" or anonymized identifiers rather than names when submitting support tickets.
## Recommendations
- **DLP for Support Portals:** Implement Data Loss Prevention (DLP) tools on internal support ticketing systems to flag or redact PII/names before tickets are saved.
- **Employee Training:** Educate school district staff on the dangers of including student names in technical support requests.
- **Access Control:** Audit and limit who can export bulk CSV data from customer support platforms (Zendesk, Salesforce, etc.).