HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Infinite Campus Salesforce Breach Exposes 137,000 School Staff Records

A misconfiguration in Infinite Campus’s Salesforce environment leaked personal data for roughly 137,000 school staff members. The incident illustrates how inadequate third‑party risk oversight can lead to data exposure, a key focus of SOC 2 vendor‑management controls.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 techrepublic.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
techrepublic.com

Infinite Campus Salesforce Breach Exposes 137,000 School Staff Records

What Happened — A misconfiguration in Infinite Campus’s Salesforce tenant allowed unauthorized access to data tied to approximately 137,000 school‑staff accounts. The exposed information includes names, email addresses, and employment details.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates the risk of relying on third‑party SaaS platforms without continuous vendor‑risk monitoring—exactly the scenario SOC 2 vendor‑management controls are designed to address.
  • Highlights the need for auditable evidence that third‑party security controls are reviewed, documented, and re‑validated after any change.
  • Provides a real‑world example of why a Trust Center that aggregates vendor‑risk attestations can serve as defensible audit proof.

Who Is Affected – K‑12 education institutions and their staff; SaaS vendors that integrate with Salesforce.

Recommended Actions

  • Map the breach to SOC 2 CC6.1 (Third‑Party Risk Management) and verify that your vendor‑assessment program includes continuous monitoring of SaaS configurations.
  • Collect and retain evidence of Salesforce security‑configuration reviews, access‑log exports, and any remediation tickets as audit artifacts.
  • Conduct a focused risk‑reassessment of all third‑party CRM integrations and update contractual security clauses accordingly.

Technical Notes – The incident stemmed from an improperly scoped Salesforce permission set that granted broader read access than intended. No public CVE is associated; the exposure was limited to staff‑profile fields stored in the CRM. Source: TechRepublic

📰 Original Source
https://www.techrepublic.com/article/news-infinite-campus-salesforce-breach-school-staff-data/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →