What began as a suspicious network alert on a Saturday morning escalated into the most severe cyberattack in the San Diego Community College District’s history — one that shut down the entire campus network across four colleges and left more than 90,000 students unable to access coursework, email, and learning platforms during the critical final weeks of the spring semester.
The Attack Begins: Saturday Network Shutdown
SDCCD network specialists first detected suspicious activity on May 2, 2026, according to district officials. Acting quickly, they moved to shut off internet access across all district facilities in an attempt to contain the threat.
“We thought we had stopped it,” Chancellor Gregory Smith said in a public statement. But when district technicians restored network access on Monday morning, the threat resumed — revealing a more sophisticated and deeply embedded intrusion than initially believed.
The district’s IT team was forced to take the network back offline while cybersecurity experts were brought in to conduct a full forensic investigation.
Four Campuses Affected
The cyberattack disrupted operations across all four SDCCD campuses:
- City College
- Mesa College
- Miramar College
- College of Continuing Education
Internet services, campus systems, and web-based platforms were suspended across all facilities simultaneously. Faculty could not administer online coursework. Students lost access to course materials, assignment submissions, and communication channels with instructors — all during the final stretch of the semester.
A Long-Game Credential Harvest
Investigators’ preliminary assessment revealed the attackers’ likely intent went far beyond a simple disruption attack. SDCCD officials believe the threat actors attempted to embed malicious code deep within the campus network — code designed to remain dormant and undetected for months or even years while covertly harvesting login credentials, financial information, Social Security numbers, and other sensitive personal data.
The attackers appeared to be playing a long game: establishing persistent access and quietly exfiltrating data over an extended period rather than announcing themselves with ransomware encryption or an immediate extortion demand.
District officials stated that no personal information was confirmed to have been accessed, though the investigation was ongoing at the time of disclosure.
The Canvas Breach Connection
The SDCCD attack arrived in the same week that Instructure Canvas — the learning management system used by thousands of educational institutions including San Diego campuses — disclosed its own massive data breach. ShinyHunters claimed responsibility for stealing 275 million Canvas user records from nearly 9,000 schools worldwide.
San Diego-area campuses were among those named in the Canvas breach’s list of affected institutions. The simultaneous targeting of Canvas infrastructure and SDCCD’s own campus network raised questions about coordinated or opportunistic attacks against the education sector — which has increasingly become a soft target for cybercriminals due to its large volumes of student PII, underfunded IT security teams, and widespread reliance on shared third-party platforms.
Education Under Siege
SDCCD’s experience is part of a broader pattern. Education consistently ranks among the most-targeted sectors in annual cybersecurity incident reports, and 2026 has accelerated that trend. Community colleges are particularly exposed: they serve large, diverse student populations but typically operate with IT budgets and security staffing that cannot match those of major research universities or K–12 districts with state-level support.
The timing of attacks during semester end-points — finals, graduation periods — is not accidental. Attackers know that the pressure to restore systems quickly creates conditions where organizations may accept unfavorable terms or skip forensic thoroughness to get operations back online.
Recovery Efforts
SDCCD brought in third-party cybersecurity experts to assist with containment and remediation. The district worked to restore systems in a phased manner, prioritizing student-facing platforms. Officials did not specify a full timeline for restoration but indicated the district was working as quickly as possible to bring services back online before the end of the semester.
No ransomware group claimed public credit for the SDCCD attack at the time of this writing, and no ransom demand had been publicly disclosed.
For Students and Staff
If you are or were a student, faculty member, or staff member of SDCCD:
- Monitor your accounts: Watch for unexpected password resets, login notifications, or phishing emails targeting your SDCCD email address
- Change your password: As a precaution, update your SDCCD credentials and any accounts where you reused that password
- Be alert for tax and financial fraud: Social Security numbers, if accessed, can be used to file fraudulent tax returns or open financial accounts in your name
- Watch for official notifications: SDCCD is required to notify affected individuals if a data breach involving personal information is confirmed — watch for certified mail or official email from the district
The SDCCD attack is a reminder that cyberattacks on educational institutions carry real consequences for real students — not just headline numbers, but disrupted finals, inaccessible coursework, and potential exposure of personal information that students entrusted to their college.
