Infinite Campus Salesforce Breach Exposes 137,000 School Staff Records
What Happened — A misconfiguration in Infinite Campus’s Salesforce tenant allowed unauthorized access to data tied to approximately 137,000 school‑staff accounts. The exposed information includes names, email addresses, and employment details.
Why It Matters for Compliance & Audit Readiness
- Demonstrates the risk of relying on third‑party SaaS platforms without continuous vendor‑risk monitoring—exactly the scenario SOC 2 vendor‑management controls are designed to address.
- Highlights the need for auditable evidence that third‑party security controls are reviewed, documented, and re‑validated after any change.
- Provides a real‑world example of why a Trust Center that aggregates vendor‑risk attestations can serve as defensible audit proof.
Who Is Affected – K‑12 education institutions and their staff; SaaS vendors that integrate with Salesforce.
Recommended Actions –
- Map the breach to SOC 2 CC6.1 (Third‑Party Risk Management) and verify that your vendor‑assessment program includes continuous monitoring of SaaS configurations.
- Collect and retain evidence of Salesforce security‑configuration reviews, access‑log exports, and any remediation tickets as audit artifacts.
- Conduct a focused risk‑reassessment of all third‑party CRM integrations and update contractual security clauses accordingly.
Technical Notes – The incident stemmed from an improperly scoped Salesforce permission set that granted broader read access than intended. No public CVE is associated; the exposure was limited to staff‑profile fields stored in the CRM. Source: TechRepublic