Infinite Campus Salesforce Breach Exposes 137,000 K‑12 Staff Records
What Happened — In March 2026 the ShinyHunters extortion gang breached the Salesforce instance that powers Infinite Campus’s student‑information system. A 1.2 GB archive containing names, email addresses, phone numbers, physical addresses, job titles and support‑ticket data for ≈ 137 k staff accounts was leaked. Infinite Campus confirmed the data was limited to staff directory information and found no evidence of student‑record compromise.
Why It Matters for Compliance & Audit Readiness
- The incident is a textbook example of a credential‑access failure that SOC 2 CC6.1 (Logical Access) is designed to prevent and document.
- Continuous monitoring of privileged SaaS accounts and immutable audit logs become critical evidence that your organization enforces “least‑privilege” and MFA controls.
- Demonstrating up‑to‑date access‑control policies and security‑awareness training satisfies both the “Security” and “Availability” trust principles during a SOC 2 audit.
Who Is Affected — K‑12 school districts, EdTech SaaS providers, and any organization that integrates staff data into a shared Salesforce environment.
Recommended Actions
- Map the breach to SOC 2 CC6.1 and verify that MFA is enforced for all Salesforce admin and service accounts.
- Deploy real‑time monitoring of Salesforce login activity and set alerts for anomalous access patterns.
- Refresh security‑awareness training focused on credential phishing and SaaS‑account hygiene for privileged users.
- Collect and retain logs, MFA enforcement records, and policy updates as audit‑ready evidence.
Technical Notes — Attack vector: compromised Salesforce credentials (likely via phishing or credential reuse). Data types: personally identifiable information (PII) of staff (names, emails, phone numbers, addresses, job titles, support tickets). Source: BleepingComputer