National Security Risks in Educational IT Systems

Shadow AI in Schools: The Vulnerability No One's Measuring A teacher uploads a class list to a free AI tool to help generate personalised feedback. An admissions officer pastes parent emails into ChatGPT to draft responses faster. A HR manager uses an AI transcription service for a safeguarding meeting. Each is trying to work more efficiently. None has checked where that data goes, how it's stored, or whether their institution has sanctioned its use. This is shadow AI: tools adopted informally across organisations, outside IT oversight, without malicious intent but with real security implications. And in education, where sensitive data is everywhere and resources are stretched, it's growing fast. The risk isn't theoretical. In March 2021, a ransomware attack on the Harris Federation: one of the UK's largest academy trusts, left 37,000 pupils unable to access email. Devices issued to students were disabled. Phone systems went down. The trust was at least the fourth multi-academy group hit that month alone. Schools had become "soft targets"more dependent on IT systems after the shift to remote learning, but with security increasingly de-prioritised. That was before AI-accelerated attacks. Before tools like Claude could be manipulated into conducting 80-90% of a cyberattack autonomously, as Anthropic revealed happened this September. Before one in six breaches involved attackers using AI. If education was a soft target then, what are we today? The shadow AI problem compounds the risk. IBM's latest Cost of a Data Breach Report found 63% of organisations lack AI governance policies. Among those that experienced AI-related breaches, 97% had inadequate access controls. Every unsanctioned tool is a potential vulnerability; an unmonitored doorway in an already under-defended building. This isn't about restricting innovation. AI tools offer genuine benefits, and organisations using them effectively in security are cutting breach detection times by 80 days. But adoption without oversight is a gamble; and in education, the stakes include safeguarding data, student records, and institutional trust. For school, college and university leaders, shadow AI raises uncomfortable questions: Do you know which AI tools are being used across your organisation? What data is being shared with them? Who's responsible for assessing the risk? The attackers have AI now. The question is whether your governance does too. I'm running a session on this topic Wednesday morning https://lnkd.in/eW88h-fd What I'm listening to: “Ready or Not” The Fugees What I am reading: 1929 by Andrew Ross Sorkin What I'm Baking Tarte Tatin https://lnkd.in/eSvE6iyw See you in the kitchen Prof Rose Luckin UCL and EVR Ltd #ShadowAI #Cybersecurity #EdTech #AIGovernance #SchoolLeadership #DataPrivacy #HigherEd #K12

🚨 In the last two years alone, major data breaches at edtech providers like Illuminate Education and PowerSchool have exposed the personal information of millions of students—from birth dates and addresses to health records and special education details. As schools increasingly rely on third-party SaaS tools, these incidents highlight a critical truth: No vendor, no matter how big or influential, is immune to cyberattacks. That’s why I’m passionate about school data sovereignty—the idea that educational institutions should maintain full control over their data, especially sensitive PII (Personally Identifiable Information) of students and parents. Sharing this data with external suppliers isn’t just risky; it’s a potential disaster waiting to happen. We’ve seen ransomware attacks on charter schools and retirement plan administrators compromising thousands more. Prioritizing data protection means: • Auditing vendors rigorously: Demand transparency on their security practices and data handling. • Minimizing data sharing: Only provide what’s absolutely necessary, and anonymize where possible. • Investing in on-premises or sovereign solutions: Keep critical data under your roof to reduce third-party risks. Educators, administrators, and parents: Let’s make data sovereignty a non-negotiable in our schools. What steps is your institution taking to safeguard student privacy? Share your thoughts below—I’d love to hear strategies or challenges you’re facing. #DataSovereignty #EdTech #StudentPrivacy #CyberSecurity #EducationLeadership

INSTITUTIONS, ARE YOUR SYSTEMS SECURE? My Recent Experience with a University Portal Left Me Speechless Yesterday, I was given special permission to carry out a penetration test on the official portal of a university. I approached the task with a clear goal: explore, test, and report any vulnerabilities to help the institution strengthen its digital security. But what I uncovered during this test was deeply alarming. In just a short time, I was able to access several high-level accounts, including those belonging to the Registrar, the Admissions Officer, the Directorate of Student Evaluations, and even the Super Admin of the entire platform. These were not demo credentials. These were real, live accounts, sitting exposed on a platform that serves thousands of students and staff. I had to ask myself: Is this truly an institutional portal, or a vulnerable testing ground waiting to be compromised? We are talking about sensitive data, high-level administrative control, and unrestricted access to core academic systems. If this kind of access had landed in the hands of a malicious actor, the consequences could have been disastrous from altered admission lists and fake certificates to deleted student records and system-wide shutdowns. This experience has raised serious concerns about the digital security posture of many institutions across the country. And so, I say this with urgency: Institutions must move beyond basic IT operations and establish dedicated penetration testing teams. These teams must regularly assess their platforms for vulnerabilities and work proactively to patch weaknesses before bad actors exploit them. Security is not a luxury. It’s not a one-time effort. It is a continuous process and a critical part of institutional survival in this digital age. I share this not to sensationalize what I found, but to sound the alarm. Too many institutions are trusting outdated or poorly protected systems to manage the lifeblood of their operations. It is only a matter of time before someone takes advantage. I was given permission. But the next person may not ask. To institutional leaders, ICT directors, and education policymakers, now is the time to act. Invest in security, build strong internal teams, and engage ethical hackers before you encounter unethical ones. The safety of your digital infrastructure is the safety of your entire institution.

Three national interviews today. One message: Canada needs to rethink how we protect student data — before this becomes the norm. Today I spoke with Ben Mulroney, Jerry Agar, and CBC Cape Breton’s Steve Sutherland about the PowerSchool cyber breach, which has compromised the personal data of millions of Canadians — including children — across over 80 school boards. In Cape Breton, ~13,000 current students and 3,200 staff were impacted — but records of ~35,000 former students were also swept up. In Ontario, the Toronto and Peel school boards alone saw over 2.4 million student records exposed. Nationwide, the breach extends across 7 provinces and 1 territory — and even after PowerSchool paid the ransom, hackers kept the data and are now targeting school boards directly. This can’t just be treated as an isolated IT failure. It raises major questions about national priorities and preparedness. What should we be talking about as a country? • Digital sovereignty: Why is our public education system relying on foreign-owned, cloud-based platforms with no legal requirement to store data in Canada? • Public accountability: Who is overseeing how student data is managed — and why aren’t breach disclosures mandatory nationwide? • Cybersecurity investment: Are we prepared for AI-powered ransomware attacks on education, healthcare, and public infrastructure? • Capacity-building: Where is the national strategy to build secure, Canadian-made digital platforms for public institutions? Listen to the full conversations: • Ben Mulroney Show: https://lnkd.in/gcyB7p-m • Jerry Agar Show: https://lnkd.in/gp_aMWHX • CBC Cape Breton: https://lnkd.in/gYpSma7D This breach isn’t just about PowerSchool — it’s about public trust, national resilience, and how we protect the next generation in a digital age. For more information, check out the blog post: https://lnkd.in/gRSYrQCV

🚨 New Federal Guidance on PRC Academic Risks The U.S. Department of Education— in partnership with the U.S. Intelligence Community — just issued an important bulletin warning #universities about the #nationalsecurity risks posed by PRC-linked research partnerships. This is a major milestone. 🧠📚 Kudos to Paul Moore, DoE’s Chief Investigative Counsel, for his leadership on this issue — and for working across government to drive much-needed clarity and coordination. The bulletin reflects years of behind-the-scenes efforts to help safeguard American innovation and intellectual property from foreign interference. Many of us at the Foundation for Defense of Democracies (FDD) have raised these concerns for years — across testimonies, monographs, and dialogues with federal and academic institutions. This bulletin shows that progress is possible when vigilance meets action. 📄 Read the full “Safeguarding Academia” bulletin here in this Office of the Director of National Intelligence release: https://lnkd.in/eBvDp7nA #China #NationalSecurity #HigherEd #ResearchSecurity #AcademicFreedom #FARA #IPProtection #DepartmentofEducation #SafeguardingAcademia #FDD #ForeignInterference #foreignpolicy #duediligence #espionage #unitedfront #research #researchintegrity