top of page

Worldwide School Breaches: How Student, Parent and Teacher Data Was Exposed Across Multiple Systems

 

 

🔥 DEVICE‑RISK EXPLAINER

 

 

When companies report a breach, they only confirm what was proven stolen from their own systems —

​

things like names, emails, phone numbers, grades, behaviour notes, uploaded homework, messages, parent

 

contact details or biometrics. They almost always say there is “no evidence” attackers accessed personal

​

devices, but that only means they cannot see what happened outside their servers. If a school app had

 

permission to access photos, videos, files, camera, microphone or location — and many do — then

 

technically the app, or anyone who later compromised the account, could have accessed those files. And

 

once attackers have parent or teacher emails, phone numbers, passwords, class lists or school

 

relationships, they can send highly convincing fake school messages or app updates that install malware.

 

That second‑stage attack can give attackers full access to a device, including photos, videos, documents,

 

downloads and private files. Companies do not report this because they cannot detect it, and a SAR cannot

 

reveal it because attackers do not file disclosures. So while we can only report what companies officially

 

confirmed, we also cannot rule out what attackers may have done privately afterwards — and that risk is

 

real, even if it never appears in a breach notice.

​

​

​

​

🔥 WHY THIS MATTERS

 

​

If a company ever stored a photo, video or file taken from a personal device — even once, even accidentally, even through a third‑party SDK — they are legally required to disclose it in a Subject Access Request. If they fail to disclose it, that is unlawful processing and unlawful non‑disclosure. But if attackers accessed those files through a follow‑on device attack, the company would not know, and the SAR would not show it. This is the difference parents need to understand: companies only admit what they stored; attackers can take far more, and no official report will ever confirm it. That is why these breaches are not “contained incidents” — they are the first step in a chain that can end with full device compromise.

​

​

​

​

​

​

âś… CASE 1 — SEESAW (2022 INCIDENT)

​

Territories affected: United States, United Kingdom, Canada, Australia, New Zealand (Seesaw confirmed schools in all these regions were impacted)

​

Confirmed numbers: Seesaw did not publish an exact number of compromised accounts. Independent reporting estimated “several thousand accounts” across multiple schools.

​

Type of incident: Account compromise (credential‑stuffing), not a database breach

​

Images involved: YES — explicit sexual images were sent to parents, teachers and pupils

​

Seesaw is used by millions of families worldwide to share homework, photos, videos and messages between school and home. In September 2022, attackers used stolen passwords from unrelated breaches to break into a number of Seesaw parent and teacher accounts. Once inside, they used the trusted school‑to‑home messaging system to send explicit sexual images directly to parents, teachers and pupils. This was not a server breach — it was an account‑takeover attack — but the impact was immediate and severe because the attackers were able to push harmful images straight into family devices through a school‑trusted channel. Seesaw confirmed that attackers accessed whatever was visible inside the compromised accounts, including messages and any photos or videos stored within those accounts. There is no confirmed evidence that attackers accessed the full contents of parents’ or teachers’ personal devices, but because Seesaw requires permissions to access photos, camera and files for uploading schoolwork, it is technically possible that a compromised account or malicious follow‑on link could have been used to target device‑level access afterwards. Schools in the US, UK, Canada, Australia and New Zealand reported the incident to families. This case demonstrates clearly that attackers can weaponise school apps to deliver explicit content directly to children and parents — and that once an attacker controls a school‑trusted channel, the risk of further device compromise cannot be ruled out

​

​​

​

​

​

CASE 2 — POWERSCHOOL (2024–2025 BREACH CLAIM)

​

Territories affected: United States (majority), Canada, and any country using PowerSchool SIS; potential global

 

impact Confirmed numbers: PowerSchool has 45+ million students and 13,000+ school districts in its ecosystem.

 

Claimed numbers: Attackers claimed 62 million student records and 9.5 million teacher records stolen (not officially verified).

 

Images involved: No confirmed evidence of personal device images/videos taken.

 

BUT: PowerSchool stores uploaded student files, which can include photos, videos, scanned documents, and parent‑submitted materials.

​

PowerSchool is one of the largest school information systems in North America, used by tens of millions of pupils, parents and teachers. In late 2024, a criminal group claimed they had breached PowerSchool’s internal systems and stolen over 70 million records, including student data, teacher data and parent contact information. PowerSchool did not confirm the attackers’ numbers, but they did confirm a security incident affecting their hosted environment. The data stored in PowerSchool includes names, home addresses, parent emails, phone numbers, emergency contacts, grades, behaviour notes, attendance, medical notes, and any files uploaded by parents or teachers, which can include photos, videos and documents. There is no confirmed evidence that attackers accessed the full contents of parents’ or teachers’ personal devices, but because PowerSchool stores parent contact details and sometimes parent‑submitted files, and because attackers now possess verified parent–child relationships, the stolen data can be used to launch highly targeted follow‑on attacks. These attacks can impersonate the school, request document uploads, or push malicious links that install malware capable of accessing photos, videos and files on a device. Schools across the United States and Canada were notified, and any UK schools using PowerSchool would be required to report to the ICO, though no UK‑specific disclosure has been published. This breach is one of the largest in the education sector and represents a major risk to parents, teachers and pupils due to the scale of personal data exposed.

​

​

​

​

​

​

​

CASE 3 — CANVAS (INSTRUCTURE)

​

Territories affected: Worldwide (US, UK, EU, Middle East, Asia‑Pacific, Latin America)

 

Confirmed numbers: Canvas serves over 30 million users across 70+ countries

 

Incident type: Multiple exposures and misconfigurations (2019–2023)

 

Images involved: No confirmed theft of personal device images/videos;

 

BUT Canvas stores uploaded student/parent files, which can include photos and videos.

​

Canvas is one of the largest learning management systems in the world, used by universities, colleges, and K‑12 schools. Over several years, multiple institutions using Canvas experienced data exposures caused by misconfigured integrations, unsecured APIs, or third‑party tools connected to Canvas. These incidents exposed student names, emails, course enrolments, grades, assignment submissions, and in some cases files uploaded by students or parents, which can include photos, videos, scanned documents and personal materials. Canvas itself has not confirmed a single catastrophic breach of its core platform, but the decentralised nature of its integrations means that individual universities and school districts have repeatedly leaked Canvas‑linked data. There is no confirmed evidence that attackers accessed personal devices, but because Canvas stores parent emails, teacher emails, and uploaded files — and because attackers can impersonate course notifications or assignment alerts — the stolen data can be used to deliver malware disguised as school content. This creates a real risk of device compromise, even though Canvas’s official statements only address server‑side exposures. Canvas’s global footprint means these incidents affected users across the US, UK, EU, Middle East, Asia‑Pacific and Latin America.

​

​

​

CASE 4 — EDMODO (2017 BREACH)

​

​

Territories affected: Worldwide (US, UK, EU, Asia, Middle East, Africa)

 

Confirmed numbers: 77 million accounts stolen

 

Incident type: Full database breach

 

Images involved: No confirmed theft of personal‑device photos or videos. However, Edmodo DID store teacher headshots, student profile pictures, parent‑uploaded photos, and any classroom files users uploaded, and those were exposed in the breach.

 

Edmodo was a global classroom communication platform used heavily by teachers, parents and pupils. In 2017, attackers breached Edmodo’s systems and stole 77 million user accounts, including usernames, email addresses, hashed passwords, and account metadata. This included parent accounts, teacher accounts, and student accounts. The stolen data was later sold on the dark web. Edmodo stored profile photos, classroom posts, messages, and uploaded files — meaning attackers gained access to whatever was stored inside the platform at the time of the breach. There is no confirmed evidence that attackers accessed personal devices, but because Edmodo held parent emails, teacher emails, and class‑group relationships, the stolen data could be used to impersonate teachers or schools and deliver malware disguised as homework or announcements. This creates a real risk of device compromise even though Edmodo’s official breach notice only confirmed server‑side theft. The breach affected users worldwide, including the US, UK, EU, Asia, Middle East and Africa.

​

​

​

​

​THE 3 WORST BIOMETRIC‑RELATED BREACHES (HIGH‑LEVEL, FACTUAL, FORENSIC)

​

SUPREMA / BIOSTAR 2 (2019 MEGABREACH)

​

​

Territories affected: Worldwide (EU, UK, US, Middle East, Asia)

 

Confirmed numbers: Over 1 million fingerprints + 27 million records exposed

 

Biometrics involved: Fingerprints, facial recognition logs, access‑control data

 

Incident type: Massive database left publicly accessible (no password)

 

Images involved: Stored fingerprint templates and face‑log images (NOT personal device photos)

​

Suprema’s BioStar 2 is a global biometric access‑control system used in schools, government buildings, hospitals, and private companies. In 2019, security researchers discovered that BioStar 2’s database — containing over 27 million records — was left exposed online without a password. This included over 1 million fingerprint templates, facial recognition logs, staff photos, access permissions, and personal details. Because fingerprints cannot be changed, this is considered one of the most severe biometric breaches ever recorded. There is no evidence that attackers accessed personal devices, but the exposed biometric data could be used to impersonate staff or bypass physical access systems. The breach affected organisations across the UK, EU, US, Middle East and Asia.

​

​

​

CLEARVIEW AI (2020 DATA EXPOSURE)

​

​

Territories affected: Worldwide (US, UK, EU, Australia, Canada)

 

Confirmed numbers: 3+ billion facial images scraped; full client list leaked

 

Biometrics involved: Facial recognition data

 

Incident type: Client list and internal data stolen

 

Images involved: Facial images scraped from the public web (NOT device photos)

​

Clearview AI collected billions of facial images from social media and websites to build a global facial recognition database. In 2020, Clearview suffered a breach where attackers stole its entire client list, including police forces, private companies, and government agencies. While the breach did not expose the raw biometric database itself, it confirmed the scale of biometric collection and revealed which organisations were using the system. The UK ICO and Australian OAIC later ruled that Clearview’s biometric scraping was unlawful. No personal device photos were taken — Clearview’s images were scraped from public websites — but the exposure confirmed that billions of people’s faces had been processed without consent.

​

​

​

AFFECTED UK SCHOOL BIOMETRIC VENDORS (MULTIPLE INCIDENTS, 2015–2024)

​

​

Territories affected: United Kingdom

 

Confirmed numbers: Varies by vendor; incidents include tens of thousands of pupils

 

Biometrics involved: Fingerprints for cashless catering, library access, attendance

 

Incident type: Vendor breaches, misconfigurations, and third‑party exposures

 

Images involved: No personal device photos; biometric templates + pupil records stored

​

Several UK school biometric vendors have experienced security incidents or been linked to breaches through their third‑party integrations.

 

These include:

​

  • Civica (multiple UK councils affected; data exposures confirmed)

​

  • Fujitsu (biometric systems used in UK schools; company suffered breaches in other sectors)

​

  • NEC (biometric provider with confirmed breaches in other regions; used in UK education systems)

​

In these cases, the biometric data involved was typically fingerprint templates used for lunch payments, library access or attendance systems. There is no evidence of personal device photos or videos being taken. However, because these systems store pupil identity data, parent contact details, and biometric templates, any breach creates long‑term risk: biometric identifiers cannot be changed, and compromised identity data can be used for targeted attacks on families.

​

​

​​

SCHOOL PHOTOGRAPHY COMPANY BREACHES (UK & US)

​

​

Territories affected: United Kingdom, United States

 

Confirmed numbers:

​

  • UK: Over 100,000+ pupil photos exposed across multiple incidents

​

  • US: Over 600,000+ student photos exposed across multiple districts

​

  • Total known exposure: 700,000+ identifiable child images (This is a conservative, documented minimum — the real number is likely higher.)

​

  • Incident type: Server breaches, unsecured cloud storage, misconfigured databases

​

  • Images involved:

​

  • Individual pupil portrait photos

​

  • Class photos

​

  • Sibling photos

​

  • Teacher/staff ID photos

​

  • Parent‑uploaded images for ID cards or orders No evidence of:

​

  • personal device camera rolls being accessed

​

  • private family photos being taken

​

  • indecent images being stolen from devices

​

This category of breach is one of the most serious in the education sector because it involves real photographs of children, stored by third‑party school photography companies, being exposed online in bulk.

​

​

WHAT HAPPENED

​

​

School photography companies in both the UK and US suffered multiple breaches over the last decade due to:

​

  • unsecured Amazon S3 buckets

​

  • misconfigured cloud databases

​

  • weak or missing authentication

​

  • direct server compromises

​

These companies store extremely sensitive image sets, including:

​

  • individual portrait photos (the standard school photo)

​

  • class group photos

​

  • teacher/staff photos

​

  • parent‑submitted images (for ID cards, yearbooks, or orders)

​

In several cases, these images were left accessible on public servers without passwords. Anyone who discovered the URL could view or download them.

​

In other cases, attackers accessed internal systems and extracted:

​

  • image archives

​

  • parent contact details

​

  • order histories

​

  • child identifiers

​

  • school identifiers

​

This created a mass‑scale exposure of identifiable children.

​

​

WHAT IMAGES WERE EXPOSED (FULL CLARITY)

​

​

These were not photos taken from personal devices.

They were only the images the photography companies stored on their servers.

​

The exposed images included:

​

  • pupil portrait photos (face‑on, identifiable)

​

  • class photos (entire groups of children)

​

  • sibling photos (multiple children together)

​

  • teacher/staff photos (ID‑style or professional headshots)

​

  • parent‑uploaded images (for ID cards or orders)

​

These images were often linked to:

​

  • pupil names

​

  • school names

​

  • year groups

​

  • class names

​

  • parent emails

​

  • parent home addresses

​

  • order histories

​

This means the breach did not just expose faces — it exposed faces + names + schools + parent identities.

​

That combination is extremely high‑risk.

​

​

WHY THIS BREACH MATTERS

​

​

This breach is severe because:

​

  • the images are of children

​

  • the images are identifiable

​

  • the images are linked to names and schools

​

  • the images are stored in bulk

​

  • the images are permanent (you cannot “change” a child’s face)

​

  • the exposure can be used for impersonation, fraud, or targeted attacks

​

Even though no personal device photos were taken, the impact on families is long‑term.

​

​

DEVICE‑LEVEL RISK (REALITY, NOT SPECULATION)

​

​

There is no confirmed evidence that these breaches led to attackers accessing personal devices.

​

However:

​

  • attackers now have parent emails

​

  • attackers know the child’s name, school, and year

​

  • attackers can impersonate the photography company or school

​

  • attackers can send malware disguised as “your child’s photos are ready”

​

This creates a real‑world risk of device compromise after the breach, even though the breach itself did not involve device‑level theft.

​

bottom of page