This report is intended for university leadership (Vice-Chancellors, Deputy Vice-Chancellors, Registrars, Chief Operating Officers, and Council members) who are responsible for institutional risk, operational continuity, and student welfare. The report draws on incident data, industry threat intelligence, and publicly documented cyberattacks affecting South African and Sub-Saharan African universities in recent years.
Higher education across the African continent operates under a rapidly evolving cybersecurity threat landscape. Public reporting from 2023 to 2026 has documented cyber incidents affecting universities in Southern Africa, alongside a large-scale coordinated incident in East Africa and the global Canvas/Instructure supply chain breach of May 2026, which affected institutions in more than 50 countries. Education has emerged as one of the most targeted sectors globally for ransomware, denial-of-service campaigns, and third-party vendor compromise.
A significant cybersecurity incident at a university is not solely an IT matter. Industry research suggests that incidents in this sector can disrupt registration cycles, delay financial aid processes, expose personal data, and attract regulatory scrutiny. IBM's Cost of a Data Breach Report places the average cost of a breach in South Africa at R53.1 million — a figure that does not include reputational impact, legal costs, or potential regulatory consequences under the Protection of Personal Information Act (POPIA).
The Scale of the Threat§
Education is now the second-most attacked sector in South Africa. Across the continent, attack volume against universities has climbed sharply year-on-year — and the perpetrators are professional operators, not opportunists.
Cyberattacks recorded each week against South African government and military targets — the sector most adjacent to higher education in both threat profile and adversary motivation.
Source: Check Point Research, 2025 [2]| 3,480Attacks per week on SA government and military [2] | +23%Year-on-year increase in education sector attacks [7] | R53.1MAverage breach cost, South African institution [3] | 586,130Nigerian financial and telecoms cyberattacks, H1 2024 [4] |
Universities are disproportionately affected by cyberattacks, because they combine three characteristics that attract attackers: large stores of personal data, underfunded security teams, and a strong institutional incentive to pay ransoms quickly to restore academic continuity.
South Africa faces the most acute risk in Sub-Saharan Africa. The country's well-developed internet infrastructure and high degree of institutional digitisation make it both a target-rich environment and one where attacks cause significant disruption. The education sector sits behind government as the most attacked sector, with universities specifically singled out because they hold financial systems, health data (in the case of medical schools), research IP of national value, and personal data on hundreds of thousands of students and staff.
In East Africa, Kenya has emerged as the most targeted country for hacktivist DDoS campaigns. The July 2023 Anonymous Sudan attack simultaneously hit 10 Kenyan universities alongside hospitals, banks, and the government's eCitizen platform, representing one of the largest coordinated cyberattacks on civilian infrastructure in African history.
| 10Kenyan universities DDoS'd simultaneously, July 2023 [9] | Up to R10MPOPIA administrative fine for non-compliance [12] | 3+SA institutions with publicly reported incidents, 2023 to 2025 |
Overview: Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in early 2023. The group's primary motivation is financial gain, employing a double extortion model where victims' data is both encrypted and exfiltrated, with threats of public release if ransom demands are not met. Evidence suggests links to Russian-speaking threat actors, with strong overlaps in tactics with the Vice Society ransomware group.
Key characteristics: Rhysida typically gains initial access through phishing campaigns, exploitation of unpatched VPN software and CVE-2020-1472 (Zerologon), and compromised RDP access points. Once inside, the group deploys Cobalt Strike for post-exploitation, uses PsExec to distribute ransomware payloads, and employs Living Off the Land techniques to evade detection. Encryption uses ChaCha20 with a 4096-bit RSA key, appending the '.rhysida' extension. The group employs double extortion: victims receive a ransom note directing them to a Tor-based portal, and exfiltrated data is published on a dark web leak site if payment is refused.
- Active since
- Early 2023
- Origin
- Russian-speaking
- Model
- RaaS, double extortion
- Encryption
- ChaCha20 + RSA-4096
- Initial access
- Phishing, VPN exploits, Zerologon, RDP
- Linked incident
- AfricaSA university (Dec 2023, per public reports)
Overview: BlackCat (ALPHV) first emerged in mid-November 2021 as the first major criminal group to deploy ransomware written in the Rust programming language, enabling cross-platform attacks across Windows, Linux, and VMware ESXi. Assessed with high confidence to be of Russian-speaking CIS origin, with ties to defunct groups DarkSide and BlackMatter. The group operates a triple extortion model: encryption, data publication, and in some cases DDoS attacks against victims.
Key characteristics: Affiliates gain access through stolen credentials, RDP and VPN vulnerabilities, ProxyShell exploits, and initial access brokers. The Rust-based ransomware uses ChaCha20 and AES encryption. Custom exfiltration tool Exmatter steals data before encryption. Defense evasion includes disabling security software via malicious signed kernel drivers (POORTRY malware), deleting shadow copies, and stopping VMware snapshots. Ransom demands are typically in the multi-million dollar range, in Bitcoin or Monero.
- Active since
- November 2021
- Origin
- Russian-speaking (CIS)
- Lineage
- DarkSide → BlackMatter → ALPHV
- Language
- Rust (cross-platform)
- Targets
- Windows, Linux, VMware ESXi
- Model
- RaaS, triple extortion
- Tooling
- Exmatter, POORTRY drivers
Overview: APT 41 is a Chinese cyber threat group active since at least 2012, with a unique dual operational model: state-sponsored espionage in parallel with financially motivated cybercrime. Associated with the Chinese government, the group is known for targeting universities, research institutions, and technology companies for intellectual property theft, while also pursuing financial gain through virtual currency manipulation.
Key characteristics: APT 41 gains access through spear-phishing, supply chain compromises via software updates, and rapid exploitation of newly disclosed vulnerabilities (Log4Shell, Citrix ADC, ProxyLogon, and zero-days including CVE-2025-6554). The group deploys custom backdoors including ShadowPad, PlugX, and DUSTTRAP, alongside Cobalt Strike for C2. Evasion techniques include DLL side-loading, rootkits, and leveraging legitimate cloud services like Google Calendar for command-and-control communications.
- Active since
- At least 2012
- Origin
- China (PRC)
- Aliases
- Wicked Panda, BARIUM
- Model
- State+ Financial
- Targets
- Universities, research, tech
- Motive
- IP theft, cryptocurrency
- Tooling
- ShadowPad, PlugX, DUSTTRAP
How Universities Are Being Attacked§
Five attack categories account for nearly every incident on record — ransomware, DDoS, credential stuffing, web application exploits, and supply-chain compromise. They are routinely combined.
Universities face five primary attack categories, often used in combination.
Ransomware is the most damaging attack type. Criminal software infiltrates the institution's network through phishing, exposed remote access, or unpatched vulnerabilities, and silently encrypts files across servers, student records systems, financial databases, and research repositories. Attackers study academic calendars and deliberately strike during registration periods or examination seasons, when the pressure to restore systems is greatest and the institution's tolerance for prolonged disruption is lowest. The average ransomware recovery takes 21 to 24 days, representing a significant portion of a semester. [6]
A DDoS attack floods university websites and digital services with traffic volumes far beyond what infrastructure can handle. Modern attacks are large: the largest single attack against South African infrastructure in H1 2025 peaked at 312 Gbps, with 213,523 individual DDoS attacks recorded in just six months. [1] SOURCE [1] NETSCOUT 1H 2025 Threat Intelligence Report South Africa recorded 213,523 DDoS attacks in H1 2025; largest single attack 312 Gbps. DDoS-for-hire services offer attacks from as little as EUR 5 for a five-minute attack, meaning any motivated actor can commission an attack for less than the cost of a monthly mobile contract. [8] SOURCE [8] Kaspersky/Securelist: The Cost of Launching a DDoS Attack DDoS-for-hire from EUR 5 for a five-minute attack; weekly subscriptions from USD 15. Mitigation requires absorbing attack traffic before it reaches the institution's network, precisely what Cloudflare's global anycast network, with edge presence in various cities in Africa , provides.
Criminals purchase lists of stolen credentials from other data breaches and use automated tools to try them against university login pages at tens of thousands of attempts per minute. The May 2026 Canvas breach placed 275 million email addresses into criminal hands overnight, creating a ready-made credential stuffing list targeting every university portal where those students also hold accounts. [13] When an attacker successfully logs in, they can access personal information, intercept financial aid communications, or change bank details for bursary disbursements.
Every web-facing university system is potentially vulnerable to SQL injection, cross-site scripting, and application-layer exploits. The October 2025 Oracle E-Business Suite zero-day — publicly reported as affecting a South African research university — is a recent example: a flaw in widely-used enterprise software that, where exploited, provided attackers access to HR, finance, and student information systems. When Oracle disclosed the vulnerability, every institution running that software was exposed from the moment the flaw became known. Cloudflare's WAF published a virtual patching rule within hours of disclosure; universities behind Cloudflare were shielded before their internal patch cycle had even begun.
When any cloud-based service provider is breached, every institution relying on them is simultaneously exposed, without any attack ever touching the university's own network. The May 2026 Canvas/Instructure breach is the largest educational supply chain attack on record. ShinyHunters exploited an authentication weakness in Instructure's Free-For-Teacher account programme to traverse tenant boundaries and extract 3.65 TB of data from 8,809 institutions simultaneously. [13][14] Any institution using Canvas — including SA universities deploying the platform — was exposed to the same disclosure of student names, email addresses, student IDs, and private messages, with no advance warning and no ability to prevent the breach through conventional IT controls.
African Universities Under Attack§
Five publicly reported incidents — three in South Africa (generalised), one in Kenya, one global — illustrating the patterns leadership needs to recognise.
The five incidents below are drawn from publicly available reporting on cyber events affecting African higher education and the global education vendor ecosystem. Where institutions in Southern Africa are referenced, identifying details have been generalised; the underlying public reporting is cited in the sources section. The intent is to provide University leadership with context on cyber threats and attacks facing Universities, and to inform decisions ahead.
|
CASE STUDY | South Africa | December 2023 SEVERITY 5/5 A South African University of Technology
|
|
| Attack Type | Ransomware incident attributed in public reporting to the Rhysida group |
| Impact | According to public reporting, institutional data was accessed and subsequently posted by the Rhysida group. Systems were reportedly disrupted across multiple campuses, with recovery activity extending into early 2024 — overlapping with the registration cycle. Incident publicly disclosed and widely reported in South African media. |
| Key Lesson: Rhysida targets universities during holiday periods when IT staffing is reduced. The breach was enabled by inadequate network segmentation and the absence of a web application firewall and zero trust access controls. Post-breach recovery took months, during which students faced registration delays. | |
|
CASE STUDY | South Africa | October 2025 SEVERITY 4/5 A leading South African research university
|
|
| Attack Type | Oracle E-Business Suite Zero-Day Vulnerability Exploitation |
| Impact | A critical zero-day in Oracle EBS (commonly deployed for HR, finance, and student administration) was reportedly exploited before Oracle issued a patch. Public reporting indicates that student and staff data was accessed. Institutions of this scale typically manage multi-billion-rand operating budgets and significant national research grant data. |
| Key Lesson: Zero-day vulnerabilities are by definition unknown until exploited. The only defence that can block zero-day exploitation before a vendor patch is available is a Web Application Firewall with virtual patching, which intercepts and blocks the attack pattern at the network edge. Oracle EBS is deployed at multiple South African universities; this attack vector applies equally to all of them. | |
|
CASE STUDY | South Africa | 2024 SEVERITY 2/5 A regional South African university
|
|
| Attack Type | Targeted Cyberattack: Publicly Reported R100 Million Attempt, Detected and Blocked |
| Impact | According to public reporting, the institution's internal security team detected and blocked a targeted cyberattack publicly valued in the range of R100 million. The incident illustrates that smaller institutions are also active, high-value targets for professional adversaries. |
| Key Lesson: Institution size is not a deterrent. The R100M figure reported publicly reflects an assessed value of student PII, financial systems, and institutional data, rather than the institution's market profile. Manual detection alone is not a reliable long-term defence against professional, automated threat actors who routinely iterate their approach after a failed attempt. | |
|
CASE STUDY | Kenya | 27 July 2023 SEVERITY 4/5 University of Nairobi + 9 Other Kenyan Universities
|
|
| Attack Type | Coordinated DDoS Campaign: Anonymous Sudan [9][10] |
| Impact | Ten Kenyan university websites simultaneously taken offline. The attack also disabled seven hospitals, Safaricom mobile services, M-Pesa transactions, the Kenya Power electricity token system, and the government's eCitizen platform [9]. The University of Nairobi (65,000+ students) had digital services disrupted for multiple days. Group founders arrested in the United States in October 2024. [10] |
| Key Lesson: Coordinated hacktivist DDoS campaigns can target entire sectors simultaneously. A single political or ideological event can put every university in a country in the crosshairs overnight. No effective DDoS mitigation infrastructure was in place at any of the targeted institutions. | |
|
CASE STUDY: SUPPLY CHAIN BREACH | Global: 8,809 Institutions | May 2026 SEVERITY 5/5 Canvas LMS (Instructure): ShinyHunters Supply Chain Breach
|
|
| Attack Type | Authentication Abuse and Multi-Tenant API Exploitation: ShinyHunters [13][14] |
| Impact | 3.65 TB of data stolen from 8,809 institutions in 50+ countries. 275 million student records exposed including names, email addresses, student IDs, and private messages. Canvas taken offline globally during finals. MIT, Harvard, Oxford, and Duke among named institutions. SA universities using Canvas were exposed alongside all others. [13][14] |
| Key Lesson: This was a supply chain attack; universities had no control over their vendor's security. Cloudflare's Leaked Credentials Detection provides direct post-breach protection: as stolen Canvas email addresses circulate on criminal markets and are paired with password lists from other breaches, every login to university portals is checked in real time against the Have I Been Pwned breach database, blocking credential stuffing before access is gained. | |
The Cost of Inaction§
Financial, regulatory, operational, and reputational — the bill for a single breach runs deep into eight figures, before any reputational repair begins.
The IBM Cost of a Data Breach Report 2024 places the average cost of a breach in South Africa at R53.1 million — incident response, system restoration, POPIA notification, legal counsel. Ransom payments not included.
Source: IBM Cost of a Data Breach Report 2024 [3]The IBM Cost of a Data Breach Report 2024 places the average cost of a breach in South Africa at R53.1 million. [3] This figure encompasses incident response costs, system restoration, regulatory notification obligations under POPIA, credit monitoring for affected students, and legal counsel. It does not include ransom payments, which where paid typically add R5 million to R50 million or more.
South Africa's Protection of Personal Information Act (POPIA) creates clear legal obligations for universities. As operators of large-scale personal information processing, universities are Information Responsible Parties under POPIA. A breach resulting from inadequate security measures can attract administrative fines of up to R10 million. Criminal liability for the Information Officer extends to imprisonment of up to 10 years in the most serious cases. [12]
International funding bodies (EU Horizon grants, US NIH, the Wellcome Trust) increasingly require demonstrated cybersecurity controls as a condition of grant disbursement. A breach arising from inadequate security can constitute grounds for grant recovery and disqualification from future funding rounds.
The average ransomware recovery time is 21 to 24 days. [6] For a university, three weeks represents a significant portion of a semester. Student registration systems going offline during January registration can affect tens of thousands of students and their NSFAS funding timelines. HR and payroll systems being encrypted can delay staff salary payments, creating immediate staff relations crises.
A publicly reported ransomware incident involving the disclosure of student personal data tends to generate significant negative media coverage and raises questions in the minds of prospective students, research partners, and international collaborators about the institution's competence and trustworthiness. In competitive higher education markets, reputation damage translates directly into enrolment impact in subsequent application cycles.
Why Traditional Defences Are Failing§
Firewalls, antivirus, and email filtering remain necessary. They are no longer sufficient. The threat landscape has outrun the assumptions on which legacy infrastructure was designed.
Most, if not all, universities have firewalls, antivirus software, and email filtering. These are necessary but insufficient. The threat landscape has evolved dramatically faster than traditional defences, and the architectural assumptions underlying legacy security infrastructure are increasingly misaligned with how universities actually operate.
Traditional security infrastructure assumes that everything inside the university network is trusted. This "castle and moat" model is obsolete. Today's university operates across dozens of cloud platforms, student-owned devices, work-from-home staff, international research partners, and third-party software vendors, all of which connect to university systems from outside any defined perimeter. Legacy firewalls protect a boundary that no longer corresponds to where the data actually lives.
The largest DDoS attacks against South African targets in 2025 peaked at 312 Gbps. [1] No university's internet connection, and no on-premise security appliance, can absorb that volume. Defending against volumetric DDoS requires the ability to intercept and discard malicious traffic at a point in the network with sufficient capacity, namely, a global content delivery and security network with hundreds of points of presence distributed across the internet. This is not infrastructure any single institution can build or afford independently.
Zero-day vulnerabilities are unknown until exploited. Even when patches are issued, university IT teams working with limited staff and complex legacy environments cannot realistically patch all systems within the window between vulnerability disclosure and active exploitation. Virtual patching at the web application firewall layer provides a critical buffer: blocking known attack patterns at the network edge while the underlying software is patched through the normal cycle.
The cybercriminal groups targeting African universities (Rhysida, BlackCat/ALPHV, Anonymous Sudan affiliates) are professional organisations with dedicated research teams, automation tooling, and attack-as-a-service infrastructure. South African universities typically operate with IT security teams of 2 to 5 people, legacy monitoring tools, and security budgets that represent a small fraction of overall IT spend. Expecting these teams to detect, contain, and respond to professional ransomware operations without enterprise-grade tooling is unrealistic.
Built for Scale, Available for Universities§
Cloudflare operates one of the largest global networks in the world, with local edge presence in Cape Town, Johannesburg, Durban and multiple African cities, the same infrastructure protecting global banks and governments, available to universities through Cloudflare's education programme.
Cloudflare operates one of the largest global networks in the world, with over 330 points of presence across more than 120 countries, including presence in regional data centres in Cape Town, Johannesburg, Durban, and various African countries. This infrastructure processes millions of HTTP requests per second and blocks billions of cyber threats every day, the same infrastructure protecting the world's largest financial institutions, governments, and technology companies, can protect your University.
| Cloudflare Product | University Application and Benefit |
|---|---|
| Content Delivery Network (CDN) | Cloudflare's CDN caches static content, course materials, prospectuses, images, JavaScript, CSS, video, at hundreds of edge locations worldwide, including data centres in Cape Town, Johannesburg, Durban. Three concrete benefits: (1) origin offload — typically 60 to 90% of requests are served from cache, meaning the institution's web servers handle only a fraction of total traffic and survive enrolment-day load spikes without provisioning for peak; (2) bandwidth savings — egress bandwidth at the origin is one of the larger recurring infrastructure costs, and the CDN materially reduces it (often 70%+) because cached responses never leave the edge; (3) faster student experience — pages and media load several times faster on mobile and constrained networks, which is the reality for most students across Sub-Saharan Africa. The CDN sits in front of every other Cloudflare protection in this list, so security and performance are delivered through the same edge. |
| DDoS Managed Rules | Student portals, registration systems, and financial aid platforms are high-visibility targets during peak academic periods. Cloudflare's DDoS protection is always-on, unmetered, and requires no manual intervention: attacks are detected and mitigated automatically within seconds, regardless of volume. When registration opens and 40,000 students are trying to log in simultaneously, the portal stays up, whether facing legitimate demand or a coordinated attack. |
| Web Application Firewall | Every web-facing university system sits behind Cloudflare's WAF, which inspects and filters every request before it reaches the application. OWASP Top 10 attacks, SQL injection, cross-site scripting, and credential injection are blocked as a baseline. When a zero-day vulnerability is disclosed in enterprise software (as publicly reported in 2025 affecting Oracle EBS deployments in South Africa), Cloudflare publishes a virtual patching rule within hours, protecting institutions before their internal patch cycle has even begun. |
| Bot Management | Automated credential-stuffing tools attempt thousands of student portal logins per minute using credentials stolen from breaches like Canvas. Cloudflare Bot Management identifies and blocks these bots in real time, without adding login friction for legitimate students. Bursary and NSFAS portals, which attract targeted financial fraud attempts during disbursement windows, are protected without any change to the student experience. |
| Leaked Credentials Detection | Following the May 2026 Canvas breach, 275 million student email addresses entered criminal markets overnight. Leaked Credentials Detection checks every login against the Have I Been Pwned database and Cloudflare's own breach intelligence using a privacy-preserving hashed comparison, so plaintext passwords are never transmitted. When a match is found, the WAF flags the request so the institution can force a password reset, trigger MFA, or block the login entirely. [13] |
| Cloudflare Access (Zero Trust) | Legacy VPN infrastructure assumes that everyone inside the university network is trusted. Cloudflare Access removes that assumption entirely. Every connection to internal systems (from a researcher at a partner institution, a remote staff member, or a third-party vendor) is verified against identity before access is granted, on a per-application, per-user, per-session basis. No trusted perimeter to breach; no standing access to exploit. |
| Cloudflare Gateway (DNS Filtering) | Cloudflare Gateway acts as a secure DNS resolver and web filter for every device on the campus network and for remote staff and students via WARP. It blocks connections to known malware infrastructure, phishing domains, and command-and-control servers before a connection is ever established, stopping ransomware and data exfiltration at the DNS layer. For universities running open campus Wi-Fi across multiple sites, Gateway provides a consistent security baseline without requiring endpoint software. |
| Email Security (Area 1) | Phishing is the primary delivery mechanism for ransomware. Cloudflare's AI-driven email security scans inbound email before it reaches staff inboxes, identifying and quarantining business email compromise attempts, spear-phishing targeting finance and payroll teams, and malicious attachments. For a university IT team defending against professional ransomware operators, stopping the attack at the email layer before it reaches a staff member is the highest-leverage control available. |
| Magic Transit | For universities running on-premise data centres or hosting research infrastructure locally, Magic Transit provides network-layer DDoS protection at the IP layer, absorbing volumetric attacks before they reach the institution's own hardware. Particularly relevant for institutions with dedicated research computing or self-hosted financial systems. |
| API Shield | Student information systems, financial aid platforms, and research data repositories expose APIs that, if left unprotected, can be enumerated, abused, or exploited for bulk data extraction. API Shield discovers, maps, and enforces schema validation on every API endpoint, blocking malformed or anomalous requests and preventing the kind of cross-tenant API traversal exploited in the Canvas breach. [14] |
| Argo Smart Routing and Turnstile | Argo routes traffic through Cloudflare's private backbone, reducing portal load times by 30% or more on African internet infrastructure, material for a student in Limpopo on a mobile connection. Turnstile replaces intrusive CAPTCHA challenges with invisible, privacy-preserving bot detection on application forms, registration portals, and bursary submissions. |
|
About Lockdown IT
Lockdown IT is a specialist Africa-based cybersecurity company. We design, implement, and manage enterprise cybersecurity solutions and infrastructure for institutions across Southern and Sub-Saharan Africa.
[email protected] | +27 11 024 5696 | www.lockdownit.co.za
|
About Cloudflare
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better internet. Cloudflare's platform protects and accelerates any internet application online, with Points of Presence throughout Africa.
|
© 2026 Lockdown IT (Pty) Ltd. All incident data is drawn from public sources.
All statistics and incident data cited in this report are drawn from the following publicly available sources. Reference numbers correspond to citation markers in the body text.
| [1] |
NETSCOUT 1H 2025 Threat Intelligence Report
South Africa recorded 213,523 DDoS attacks in H1 2025; largest single attack 312 Gbps.
|
| [2] |
Check Point Research: South Africa Cyber Attack Statistics 2025
SA government and military sector: 3,480 attacks/week (2025).
|
| [3] |
IBM Cost of a Data Breach Report 2024
Average total cost of a data breach in South Africa: R53.1 million.
|
| [4] |
Cybervergent H1 2024 Threat Report
586,130 cyberattacks against Nigerian financial and telecoms companies in H1 2024.
|
| [5] |
Cloudflare DDoS Threat Report Q2 2025
Cloudflare mitigated a record 7.3 Tbps DDoS attack in Q2 2025.
|
| [6] |
Sophos State of Ransomware 2025
Average ransomware recovery time: 21 to 24 days.
|
| [7] |
INTERPOL Africa Cyberthreat Assessment 2025
23% year-on-year increase in weekly attacks; Nigerian educational institutions flagged as high-frequency targets.
|
| [8] |
Kaspersky/Securelist: The Cost of Launching a DDoS Attack
DDoS-for-hire from EUR 5 for a five-minute attack; weekly subscriptions from USD 15.
|
| [9] |
TechCabal: Anonymous Sudan Attacks Kenya (July 2023)
10 Kenyan universities, hospitals, banks, and government services simultaneously attacked.
|
| [10] |
KrebsOnSecurity: Sudanese Brothers Arrested in AnonSudan Takedown (October 2024)
US indictment of AnonSudan founders.
|
| [11] |
Cloudflare Blog: DDoS Attacks on Universities
Cloudflare analysis of DDoS attack patterns targeting educational institutions.
|
| [12] |
Protection of Personal Information Act (POPIA), Information Regulator South Africa
POPIA legal text and regulatory guidance. Section 19 (Security Safeguards) and Section 22 (Notification of security compromises).
|
| [13] |
2026 Canvas Security Incident (ShinyHunters / Instructure)
ShinyHunters breach of Canvas LMS, May 2026. 275 million records from 8,809 institutions across 50+ countries. Largest educational data breach on record.
|
| [14] |
Rescana/Bitdefender: Technical Analysis of the ShinyHunters Canvas Breach
FFT accounts without institutional verification undermined logical tenant isolation. Second major Instructure breach in 8 months.
|