What to Do After a School Data Breach

School data breaches are surging. In May 2026, the Canvas learning management system breach exposed data from nearly 9,000 educational institutions, affecting an estimated 275 million students, teachers, and staff. If your child's school has been hit by a data breach, you need to act quickly. Here is a step-by-step guide to protecting your family.

Why Schools Are Prime Targets

Educational institutions store vast amounts of sensitive data — student names, dates of birth, Social Security numbers, home addresses, parent contact information, health records, disciplinary records, and academic performance data. At the same time, schools typically operate with limited cybersecurity budgets and rely on third-party platforms that may have their own vulnerabilities.

The result is a growing wave of attacks. Ransomware groups specifically target school districts and the technology vendors they depend on because the data is valuable and the defenses are often weak.

Step 1: Understand What Was Compromised

When you receive a breach notification from your school district or an educational vendor, read it carefully to understand:

• What type of data was exposed: Was it limited to names and email addresses, or did it include Social Security numbers, dates of birth, health records, or financial information?
• Who was affected: Students, parents, teachers, or all of the above?
• When the breach occurred: Some breaches go undetected for weeks or months before notification.
• What the organization is offering: Free credit monitoring, identity protection services, or other remediation.

The severity of your response should match the sensitivity of the data exposed. A breach of email addresses requires different action than a breach of Social Security numbers.

Step 2: Protect Your Child's Identity

Children are especially vulnerable after a data breach because identity theft against minors often goes undetected for years — until the child applies for their first job, student loan, or credit card.

Freeze Your Child's Credit

This is the single most important step. Contact all three credit bureaus to place a credit freeze on your child's file:

• Equifax: equifax.com/personal/help/place-freeze-minor-child/
• Experian: experian.com/freeze/form.html (select "Add a minor")
• TransUnion: transunion.com/credit-freeze (follow the minor child process)

A credit freeze prevents anyone from opening new accounts in your child's name. It is free and can be temporarily lifted when your child legitimately needs credit.

Check for Existing Fraud

Request a manual search of your child's Social Security number at each credit bureau. If a credit file already exists for a minor who has never applied for credit, it is a strong indicator that their identity has been misused.

Step 3: Secure Affected Accounts

If the breach involved login credentials for school platforms, take immediate action:

• Change passwords: Update the password for the affected school account and any other account that uses the same password
• Enable MFA: If the school platform offers multi-factor authentication, turn it on
• Review account activity: Check for unauthorized access, unfamiliar messages, or changes to account settings
• Watch for phishing: Breached email addresses will be targeted by phishing campaigns. Warn your child to be suspicious of emails claiming to be from the school or the affected platform

Step 4: Protect Yourself as a Parent

School breaches often expose parent data too — your name, address, email, phone number, and sometimes financial information if you made payments through the platform.

• Change your passwords: Update any account that shared a password with the school platform
• Monitor your credit: Check your credit reports at annualcreditreport.com and set up fraud alerts if your Social Security number may have been exposed
• Watch for targeted scams: Expect phishing emails and phone calls that reference the breach, your child's school, or specific details from the compromised data. Scammers exploit breaches by impersonating the affected institution.

Step 5: Accept Free Monitoring — But Know Its Limits

Many schools and vendors offer free credit monitoring or identity protection services after a breach. Accept these offers, but understand their limitations:

• Credit monitoring detects new account openings but cannot prevent them — only a credit freeze does that
• Standard credit monitoring rarely covers minors adequately
• Free monitoring typically lasts 12 to 24 months, but stolen data can be exploited years later
• Monitoring does not address data broker re-circulation — your information may continue to spread through the broker ecosystem

Step 6: File Official Reports If Needed

If you discover actual identity theft or fraud as a result of the breach:

1. File an identity theft report at identitytheft.gov — this creates an official FTC recovery plan
2. File a police report with your local department — some creditors require this to resolve fraudulent accounts
3. Notify the school district so they can track the scope of harm and coordinate with law enforcement
4. Contact the U.S. Department of Education Student Privacy Policy Office at studentprivacy.ed.gov if you believe FERPA protections were violated

Long-Term Protection for Your Family

A single data breach sets off a chain reaction. Once your child's or family's information enters the data broker ecosystem, it circulates among hundreds of aggregators and people search sites, making your family a target for future scams, doxxing, and identity theft.

PrivacyOn provides ongoing protection for your entire family. We remove personal information from 100+ data broker sites, continuously monitor for re-listings, and scan the dark web for your family's leaked credentials and personal data. Family plans cover up to 5 people starting at $8.33 per month — giving you peace of mind long after the breach notification emails stop.