Sensitive data is the easiest thing for a school to underprice

You can probably say a number for the value of the building your school is in or how much your school's most accomplished faculty (teacher) member is worth. You can also say how many students are enrolled, find out if the planning is on schedule, and more. One thing that is usually left out is the data you collect; that is, data that isn't attached to a dollar sign.

the short version:

• The records a school keeps are among the most sensitive any institution holds, and nearly impossible to undo once exposed.

• Most now sit on platforms you don't control (one Canvas breach reached thousands of schools at once), and the quiet everyday gaps, shared logins, accounts no one closed, matter as much as any attacker.

• Regulators across the EU, and Moldova from August 2026, now expect you to show you have it in hand.

• The reassuring part: this doesn't take an enterprise budget. It starts with knowing what you hold, where it lives, and who can reach it.

What you're really holding

Picture the files your school keeps on a single child. Not just a name and a class. A date of birth, a home address, who's allowed to collect them. Maybe a medical condition, a family situation the parents told you in confidence, a note from the year things were hard at home. Now multiply that by every child who has ever walked through your doors.

That's what you're holding. Not "data." The private life of every family who trusted you with their kid.

Most of it, those children handed over before they were old enough to agree to any of it, and you gathered it not to profit from it but because you can't teach a child well without knowing them. A shop holds a customer's card number, which they can cancel by lunchtime. You hold the things that can never be reissued: who a child is, what's wrong with them, what's happening at home.

And that's the part that should keep you up, not a hacker in a hoodie. A leaked password is changed by Friday. A child's date of birth and medical history stay with them for life. If those files ever end up outside your school, in the wrong hands, on the open internet, you can't pull them back. There's no undo. That's what people mean by a "breach," stripped of the jargon: something you were trusted to keep, ending up somewhere it was never meant to go.

What it actually costs you when it goes wrong

When those files end up where they shouldn't, the cost reaches you in three waves. The first is the one everyone warns you about. The last is the one that can close a school.

First, the regulator. Across Europe, the fine for losing people's data this way is no longer a fixed sum, it's a slice of everything your school takes in over a year. The European rule allows up to 4% of that, or €20 million, whichever is larger [3]. From August 2026, Moldova's law works the same way, up to 2% [2]. Notice what that means: the bill grows with the size of your school, so it's just as real for a small academy as for a big one. Nobody is too small to be fined.

Second, the standstill. While you're sorting it out, your people stop doing their actual jobs. The office is on the phone to lawyers and parents instead of running the school day. Teachers can't reach the systems they teach with. The longer it takes you to even notice something's wrong, the longer this drags, and it can pull the whole school off course for weeks.

Third, and heaviest, the trust. This is the one a school rarely buys back. When a family enrols, they don't just pay you, they hand you their child's medical notes, their address, the name of who's allowed to collect them at the gate. That's not the trust a shop earns. It's the trust you give a person you're leaving your child with. Lose it, and a fine starts to look cheap: one parent tells another, the next intake is thinner, and a reputation you spent years building thins out in a season. The law puts a ceiling on the fine. Nothing puts a ceiling on what it costs you to lose a parent's faith.

Rich data, thin defences

Criminals don't break into schools by mistake. They go where the information is worth taking and the door is easy, and a school is one of the few places that's both. You hold some of the most sensitive records anyone keeps, and you protect them on the budget of a place built to teach children, not to fend off organised crime. Europe's cybersecurity agency, ENISA, says the biggest dangers right now are ransomware (criminals locking your systems and demanding payment), scam emails that trick staff into letting them in, and attacks that arrive through the suppliers you rely on [4]. A school is exposed to all three.

There are three soft spots, and you'll recognise all of them.

Your people. In most schools, IT is one person, or a company you call when something breaks. Passwords get shared around the staff room. When someone leaves, their login often stays alive for months. None of that is carelessness, it's just how a busy school runs. But it's also why criminals rarely need anything clever: one borrowed password, or one convincing email to a member of staff on a Tuesday morning, and they're in.

Your platforms. This is where it gets big. The systems you run the school on, where you keep registers, grades, messages, are the same systems thousands of other schools use. That's exactly what makes them worth attacking: get into one, reach everyone. In May 2026 that's precisely what happened to Canvas, the platform schools use to run lessons and hold student records. Students' names, ID numbers and private messages were taken, and the attacker claimed to have reached nearly 9,000 schools and universities at once [1]. Nobody broke into 9,000 buildings. One supplier was breached, and every school behind it went with it. Your safety now depends on the care of companies you'll never meet.

Time. When no one's watching, a break-in can sit unnoticed for months, and the longer it hides, the more it costs you. The school that spots it in days gets off lightly. The one that spots it a quarter later doesn't. How fast you'd notice is the one thing on this list you actually control.

Now you have to show your work

For years, the rules worked a bit like a clean driving record: as long as you never crashed, nobody asked to see your paperwork. That's changed. The people who enforce these rules have stopped waiting for something to go wrong. Now they ask a harder question, ahead of time: can you show you had this under control?

You can see it in what they're checking. Across Europe in 2026, data-protection regulators in 25 countries are going to organisations and asking them to demonstrate, on the spot, exactly what personal information they hold and how they use it, no break-in required [6]. Being able to say "nothing's gone wrong" is no longer enough. You're expected to be able to show your working.

So imagine the question arriving on your desk. Not "have you been hacked," but "show us everywhere a single child's record is kept, who can open it, and why." Most schools couldn't answer that quickly, because the information is scattered, some in the student system, some in spreadsheets, more in old emails nobody's opened in years. That used to be merely untidy. Now, not being able to answer is itself the thing they write down.

This is the way things are heading everywhere, and in Moldova it now has a date. From 2026, the country's new data-protection law brings in the same approach as the rest of Europe and requires a school to report a serious leak when one happens [2]. What's arriving here is what's already arrived across the continent.

The part you actually control

It's easy to read all this and decide it's a money problem, that without the budget of a big institution, you've already lost. You haven't. How much a break-in costs you depends far less on what you spend than on two things you can change yourself: how well you know your own information, and how quickly you'd notice something was wrong.

Knowing what you hold is the dull half, and the one that matters most. Most of what goes wrong in a school isn't a master criminal, it's information nobody kept track of: the spreadsheet of pupil details on someone's home laptop, the app one department signed up for without telling anyone, the still-working login of a teacher who left in 2022. You can't protect what you don't know you have. Sitting down and listing it, what you hold, where it lives, who can open it, removes more risk per hour than anything you could buy.

Speed is the other half. A break-in caught in days costs a fraction of one caught three months later, because the harm keeps growing the whole time it stays hidden. You don't need a fancy security centre for this. You need one person whose job is to keep an eye out, and the habit of actually looking.

And none of this needs a fortune, look at the country you're in. In just three years, Moldova went from the bottom of the regional tables to a place its neighbours now learn from, simply by investing in skills and getting ready instead of waiting [7]. If a whole country can move that fast, a single school can certainly list what it holds and get quicker at spotting trouble. The moment you decide it's possible, it is.

Doing nothing has a price now

The information your school holds is a bit like a debt nobody has written down. It sits there quietly, costs nothing on an ordinary day, asks for nothing, and that is exactly why it's so easy to forget you're carrying it.

What's changed is that the cost is now coming due. The people who make the rules will hold you responsible for not knowing what you hold, and the platforms you depend on are carrying your families' information whether or not you've ever checked how safe it is. So the real choice is a simple one: get a proper handle on this yourself, calmly and in your own time, or leave it, and let the cost arrive on its own terms one day. One of those is a decision. The other is a decision too. You just won't have noticed making it.

Frequently asked questions

What counts as sensitive data in a school?

More than passwords and payment details. It includes data that can't be reissued (names, dates of birth, government IDs), protected records (safeguarding, medical, special educational needs), and the credentials that open every other system. The protected tier is the one most businesses never hold and a school can't run without.

Is a breach actually likely, or is this a rare event?

It's now routine. Across Europe, regulators receive an average of 443 breach notifications a day, up 22% in a year [5], and education is among the sectors ENISA names as under sustained attack [4].

Why would attackers target a school rather than a larger organisation?

Schools hold unusually sensitive data on an unusually thin budget. A stolen student identity can't be cancelled like a credit card, so it keeps its value for years, and shared platforms let one breach reach thousands of schools at once [1].

Are we exposed if the breach happens at one of our software vendors?

Yes. The platforms a school runs on are single points of failure, as the 2026 Canvas breach showed when one supplier exposed student data across thousands of institutions [1]. Treat every platform you rent as part of your own walls.

How is the cost of a breach measured now?

Increasingly as a share of turnover. The GDPR allows fines up to 4% of annual turnover or €20 million [3]; from 2026, Moldova's law works the same way, up to 2% [2]. The fine is rarely the largest cost, recovery, downtime and lost enrolments sit on top.

Where should a school start?

With visibility, not new tools. Map what you hold and where it lives, limit who can reach each system, and make sure someone would notice unusual access quickly. In most schools the biggest exposure is simply not knowing what you hold.

References

[1] Instructure Canvas data breach, May 2026 (names, IDs, enrolment data and messages exposed; ~280M records / 8,809 institutions claimed by the attacker, unconfirmed). BleepingComputer; Ziarul Național (MD).

https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/

https://www.ziarulnational.md/gigantul-instructure-lovit-de-un-atac-cibernetic-hackeri-fura-datele-a-milioane-de-studenti-din-aproape-9-000-de-scoli/

[2] Moldova, Law No. 195/2024 on Personal Data Protection (in force 23 August 2026; fines up to 2% of turnover). Legis.md; CNPDCP.

https://www.legis.md/cautare/getResults?doc_id=144681&lang=ro

https://datepersonale.md/legea-nr-195-2024-privind-protectia-datelor-cu-caracter-personal-principalele-prevederi-si-noutati-legislative/

[3] GDPR (Regulation (EU) 2016/679), Article 83 (fines up to 4% of turnover or €20M). EUR-Lex.

https://eur-lex.europa.eu/eli/reg/2016/679/oj

[4] ENISA, Threat Landscape 2025 (ransomware, phishing, supply-chain risk; education targeted).

https://www.enisa.europa.eu/sites/default/files/2026-01/ENISA%20Threat%20Landscape%202025_v1.2.pdf

[5] DLA Piper, GDPR Fines and Data Breach Survey, January 2026 (443 breach notifications/day, +22% YoY).

https://www.dlapiper.com/en-us/insights/publications/2026/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2026

[6] EDPB, CEF 2026: coordinated enforcement on transparency (Articles 12–14 GDPR), March 2026.

https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en

[7] Moldova Cybersecurity Forum 2026, Radio Moldova (cyber-readiness climb; ~3,000 professionals trained).

https://radiomoldova.md/p/76348/moldova-cybersecurity-forum-2026-conclusions--moldova-is-on-the-front-line-