Cyber Incident Victim: Infinite Campus

On September 17, 2018, Infinite Campus, a widely used student information management system serving schools across the United States, experienced a severe Distributed Denial-of-Service (DDoS) attack. This incident marked an escalation in a series of prior attacks against the company, with the latest assault characterized as 50 times larger in volume and 100 times longer in duration than any previous event. The attack initially targeted Infinite Campus’s infrastructure directly, overwhelming systems and rendering the company’s website inaccessible. Parents and guardians reported widespread inability to access student data portals, though Infinite Campus confirmed no data theft or compromise occurred. The disruption impacted multiple customers and data centers, including Oklahoma City Public Schools (OKCPS), which serves approximately 45,000 students. OKCPS notified families that portal access might be limited or entirely blocked due to the attack but reiterated that student data remained secure.

After repelling the initial wave, attackers shifted tactics by targeting Infinite Campus’s DNS provider, extending service disruptions beyond the original attack vector. This strategic pivot prolonged downtime and complicated mitigation efforts. Homeland Security initiated an investigation into the incident, while Infinite Campus engaged external security experts to assist in identifying the perpetrators. The company publicly emphasized the unprecedented scale of the attack but did not speculate on the identity or motives of the threat actors. Nationwide, numerous school districts relying on Infinite Campus faced operational challenges due to the portal’s instability, though functional impacts were confined to accessibility issues rather than data integrity concerns. Authorities continued investigating the source of the campaign as service restoration efforts progressed.