On June 15, 2026, the data-theft and extortion group ShinyHunters added Moody Bible Institute to its leak site, claiming to have exfiltrated more than 23 gigabytes of data spanning the Chicago-based Christian college’s enrollment, donor relations, payroll, and communications systems. The group asserts the haul includes approximately 46 million communication records, roughly 2.2 million enrollment-lead records, and more than 108,000 biodemographic master files containing names, postal addresses, and dates of birth.

Moody Bible Institute has confirmed it is aware of the claim and has engaged cybersecurity experts to investigate. As of this writing the institution has not confirmed a breach, and the threat actor’s figures remain unverified. That caveat matters legally, but it does not change the compliance lesson, which is available the moment a school looks at the categories of data ShinyHunters claims to hold. Those categories expose a recurring blind spot in higher-education data governance: the assumption that FERPA is the whole compliance story. It is not. For the data most likely sitting in Moody’s marketing and admissions systems, FERPA may not apply at all.

This is the second major education-sector incident attributed to ShinyHunters in two months, following the Instructure Canvas breach that exposed an estimated 275 million student and staff records across 8,800 institutions. The pattern is deliberate, and education compliance teams need to understand why their sector has become a priority target.

Why ShinyHunters Is Hunting Schools

ShinyHunters is a financially motivated group that surfaced in 2019. Unlike traditional ransomware crews, it does not typically encrypt systems. Its model is data exfiltration plus extortion: steal large volumes of records, post a sample to a leak site, and pressure the victim to pay to prevent publication. The group has spent 2026 running a campaign against SaaS platforms (notably Salesforce instances) and educational institutions.

Education is attractive for structural reasons. Schools hold dense personal data on minors, prospective students, current students, alumni, donors, and employees, often across decades. They run sprawling technology stacks that mix student information systems, learning management systems, customer relationship management (CRM) platforms, marketing-automation tools, and third-party recruiting vendors. Budgets for security frequently lag those of comparably data-rich industries. And the data has long-tail value: a date of birth and a home address do not expire the way a credit-card number does.

The Moody claim fits that profile precisely. The largest single bucket, the 46 million communication records, suggests the contents of an email or messaging platform. The 2.2 million enrollment leads point to a marketing or admissions CRM. The 108,000 biodemographic files look like a master constituent database. Each bucket sits under a different regulatory regime, and only one of them is squarely FERPA’s problem.

FERPA: What It Actually Covers — and What It Doesn’t

The Family Educational Rights and Privacy Act, codified at 20 U.S.C. 1232g and implemented at 34 C.F.R. Part 99, is the statute everyone reaches for when an education breach hits the news. It is also the statute most often misunderstood in the breach context.

FERPA protects education records, defined as records that are (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for it. Critically, FERPA’s protections attach to a person only once they are a student — meaning someone who is or has been in attendance at the institution. The regulations are explicit on this point in 34 C.F.R. 99.3: the term “student” does not include “an individual who has not been in attendance at an agency or institution.”

That single definitional line is the crux of the Moody analysis. Consider the three data buckets:

  • Enrollment leads (~2.2 million). A prospective student who submitted an inquiry form, attended a webinar, or was purchased as a marketing lead has, by definition, never been in attendance. Their records are not education records and are not protected by FERPA. The 2.2 million enrollment leads — likely the largest population of distinct individuals in the dataset — fall outside FERPA’s scope entirely.
  • Biodemographic master files (~108,000). This bucket almost certainly mixes enrolled and former students (FERPA-covered) with donors, prospects, and other constituents (not FERPA-covered). The protection status must be determined record by record, not by the dataset as a whole.
  • Communication records (~46 million). Emails and messages may or may not be education records depending on whether they are “directly related to a student” and “maintained” as part of the student’s file. Routine marketing email, fundraising appeals, and operational correspondence generally are not education records.

There is a second misconception worth retiring. FERPA contains no breach-notification requirement. It does not obligate an institution to notify affected individuals, regulators, or the public when records are compromised. The U.S. Department of Education can investigate and, in theory, withdraw federal funding for a violation, but there is no FERPA equivalent of the HIPAA Breach Notification Rule. Notification duties for an education breach come almost entirely from state law and, for certain data, from the GLBA Safeguards Rule.

The practical upshot: an institution that treats FERPA as its breach-compliance backbone will badly under-scope its obligations after an incident like this one.

The GLBA Safeguards Rule: The Obligation Schools Forget

Most colleges do not think of themselves as financial institutions. Under the Gramm-Leach-Bliley Act, when it comes to student financial-aid data, they are treated as one.

Because postsecondary institutions participate in Title IV federal student-aid programs, they are deemed financial institutions subject to the FTC’s Safeguards Rule, codified at 16 C.F.R. Part 314. The Department of Education has incorporated GLBA compliance into the Title IV Program Participation Agreement, making it a condition of receiving federal aid funds. The amended Safeguards Rule, fully effective since June 2023, requires covered institutions to maintain a documented information security program that includes, among other elements:

  • A designated qualified individual responsible for the security program (16 C.F.R. 314.4(a)).
  • A written risk assessment (314.4(b)).
  • Specific safeguards including access controls, encryption of customer information at rest and in transit, multi-factor authentication, and secure disposal (314.4(c)).
  • Continuous monitoring or annual penetration testing plus semi-annual vulnerability assessments (314.4(d)).
  • Oversight of service providers by contract (314.4(f)).
  • A written incident response plan (314.4(h)).

Since May 2024, the Safeguards Rule has also carried a notification requirement: covered financial institutions must notify the FTC as soon as possible, and no later than 30 days, after discovering a security event involving the unencrypted information of 500 or more consumers (16 C.F.R. 314.5). Any financial-aid data within Moody’s compromised systems — and any institution’s, in a comparable incident — could trigger this FTC reporting obligation independent of FERPA and independent of state law.

GLBA also reframes the risk-assessment question. If the 108,000 biodemographic files or the communication records touch financial-aid applicants, FAFSA-derived information, or payment data, the encryption and access-control mandates of 314.4(c) become directly relevant to any post-incident regulatory review. “We complied with FERPA” is not a defense to a Safeguards Rule deficiency.

Illinois PIPA and State Breach-Notification Duties

Because Moody Bible Institute is headquartered in Chicago, the Illinois Personal Information Protection Act (PIPA), 815 ILCS 530, is the lead state statute, and the institution’s notification duties will track the residency of each affected individual across every state represented in the dataset.

Under PIPA, “personal information” includes an individual’s name in combination with a data element such as a Social Security number, driver’s license number, financial account number, or — relevant here — medical or health-insurance information and certain other identifiers. A standalone postal address and date of birth, the elements ShinyHunters specifically advertises in the biodemographic files, do not by themselves meet the Illinois definition that triggers notice. But if any record pairs a name with a protected element, PIPA’s notification clock starts.

PIPA requires notice to affected Illinois residents in the most expedient time possible and without unreasonable delay (815 ILCS 530/10). If more than 500 Illinois residents must be notified as a result of a single breach, the data collector must also notify the Illinois Attorney General (815 ILCS 530/12), within the timeframe the statute prescribes. PIPA is enforced through the Illinois Consumer Fraud and Deceptive Business Practices Act, exposing the institution to Attorney General action.

For a dataset of this scale, the operational reality is a 50-state notification analysis. Different states define “personal information” differently (some now include biometric data, online credentials, or even date of birth combined with name), set different notice deadlines (often 30, 45, or 60 days), and impose different attorney-general and credit-monitoring obligations. The 2.2 million enrollment leads, even though FERPA-exempt, are squarely within the reach of these state statutes if they include a triggering combination of elements.

Illinois carries one additional landmine. The Biometric Information Privacy Act (BIPA), 740 ILCS 14, provides a private right of action with statutory damages for the mishandling of biometric identifiers. There is no indication that biometric data is in the Moody dataset, but any institution using fingerprint, facial-geometry, or voiceprint authentication should treat BIPA exposure as a distinct line item in its incident analysis.

The 2.2 million enrollment leads deserve their own discussion, because they represent the part of the dataset that conventional education-compliance programs govern least.

Enrollment-lead data is generated and stored by marketing and admissions teams, often in CRM and marketing-automation platforms maintained outside the registrar’s controls and outside FERPA’s scope. It frequently includes phone numbers gathered through lead-generation forms, purchased lists, and third-party recruiting vendors. That makes the Telephone Consumer Protection Act (TCPA), 47 U.S.C. 227, and its FCC implementing rules directly relevant.

Two consent issues arise from a breach of lead data:

  1. Consent integrity. TCPA compliance for autodialed or prerecorded marketing calls and texts depends on prior express written consent that is documented and tied to a specific consumer. If the records that prove consent are compromised, altered, or commingled with leads of unknown provenance, the institution’s ability to demonstrate lawful contact erodes. Post-breach, schools should not assume that the consent records they relied on are still trustworthy.
  2. Downstream misuse. Stolen phone numbers and names with an education-interest signal are ideal fuel for fraudulent recruitment, financial-aid scams, and smishing targeting prospective students. Victims may receive convincing fraudulent outreach precisely because the attacker knows they expressed interest in a specific institution.

The compliance point is broader than TCPA. Lead data is governed by the same state breach-notification laws as any other personal information, by FTC Act Section 5 prohibitions on unfair or deceptive practices (including misrepresentations in a published privacy policy), and increasingly by comprehensive state consumer-privacy statutes. Treating admissions and marketing systems as out-of-scope for the institution’s security program — because “that’s not student data” — is exactly the gap ShinyHunters monetizes.

The Education-Sector Pattern

The Moody claim is not an isolated event. It sits inside a documented 2026 surge in attacks on education and EdTech. The Instructure Canvas breach, attributed to the same group, demonstrated the leverage available when an attacker reaches a platform that aggregates data from thousands of institutions. The Moody incident shows the complementary risk: a single institution’s own sprawl of systems — email, CRM, donor database, payroll — each holding millions of records under different legal regimes.

The throughline is that education data is persistent, identity-rich, and fragmented across owners. A breach rarely respects the org-chart boundary between the registrar (FERPA), financial aid (GLBA), marketing (TCPA and state law), and advancement (state law and donor expectations). Attackers exploit all of it at once. Compliance programs that are siloed the same way will always be a step behind.

Compliance Checklist for Educational Institutions

Use the Moody claim as a forcing function to test your own posture:

  • Map data to regimes, not departments. Inventory every system holding personal data and tag each dataset with the laws that govern it (FERPA, GLBA, state breach law, TCPA, state consumer-privacy acts). Expect overlaps and gaps.
  • Stop treating FERPA as your breach framework. Confirm in writing that your incident-response plan accounts for GLBA/FTC notification (16 C.F.R. 314.5), 50-state breach-notification analysis, and contractual obligations — none of which FERPA supplies.
  • Bring admissions and marketing into scope. Enrollment-lead and CRM systems hold your largest non-student populations. Apply the same access controls, encryption, MFA, and logging you apply to the SIS.
  • Verify GLBA Safeguards Rule compliance now. Confirm you have a designated qualified individual, a current written risk assessment, encryption at rest and in transit, MFA, service-provider oversight, and a tested incident-response plan (16 C.F.R. 314.4).
  • Audit TCPA consent records. Ensure consent documentation is securely stored, attributable to specific consumers, and recoverable in a form that survives a breach of the operational CRM.
  • Run a 50-state notification tabletop. Pre-build a matrix of state definitions, deadlines, and attorney-general/credit-monitoring triggers so you can move within Illinois PIPA’s “without unreasonable delay” standard and tighter out-of-state clocks.
  • Lock down third-party and SaaS access. The 2026 campaign has leaned heavily on SaaS and CRM platforms. Enforce MFA, least privilege, and token hygiene on every integrated marketing, recruiting, and communications vendor.
  • Plan for downstream fraud. Prepare prospect- and student-facing warnings about smishing, fraudulent financial-aid outreach, and impersonation, so affected individuals can recognize attacks built on stolen lead data.
  • Document defensibility. Retain risk assessments, security-program records, and decision logs. Regulators reviewing an education breach will ask what you knew and what you did, across every regime, not just FERPA.

Conclusion

Whether or not ShinyHunters’ specific figures hold up, the Moody Bible Institute claim is a clean illustration of where education compliance actually lives in 2026. The largest population in the alleged dataset — 2.2 million enrollment leads — likely falls outside FERPA entirely, governed instead by state breach law, TCPA, and the FTC Act. Financial-aid data, wherever it sits, pulls the institution into the GLBA Safeguards Rule and its 30-day FTC notification clock. And as a Chicago institution, Moody answers first to Illinois PIPA while facing a multistate notification burden scaled to the residency of every affected person.

The lesson for every college and university is the same one the Instructure breach taught at platform scale: attackers do not respect the boundaries of FERPA, and neither should your compliance program. Map your data to every regime that touches it, secure the marketing and admissions systems you have been ignoring, and build an incident-response capability that assumes the breach will cross every silo at once. The institutions that treat FERPA as the floor — not the ceiling — of their obligations will be the ones still standing when ShinyHunters comes calling.

This article is provided for informational purposes only and does not constitute legal advice.