At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.
These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.
Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
I’m tired of it being my problem to fix. You should be able to know everything about me and still not be able to get accounts/credit/whatever in my name.
Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.
Infrastructure’s motivations must have lain elsewhere…
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.