Canvas Breach: Steps You Need to Take Now

ACTIVE INCIDENT

A major learning management system (LMS) provider, Instructure, has confirmed a significant data breach beginning in late April 2026. A criminal hacking group claimed responsibility, stating that approximately 9,000 schools worldwide and potentially up to 15,000 institutions across the U.S., U.K., Europe, Australia, New Zealand, and the Netherlands were affected.

May 11, 2026 Update:

Instructure has “reached an agreement” with the ShinyHunters attackers, apparently paying a ransom, and ShinyHunters promised to delete and not release the stolen data. Incorporate this information into your own risk assessment of the situation.

The attack began when hackers exploited a vulnerability to gain access to the vendor’s systems in late April 2026, forcing the company to shut down portions of its service and related data environments. In early May, login pages at numerous institutions were replaced with a ransom demand, threatening to release stolen data unless each affected institution negotiated a settlement within days. Systems were restored after security patches were implemented, but the investigation remains active.

Based on the vendor’s current disclosures, exposed data appears to include names, email addresses, student ID numbers, and private messages sent within the platform. The vendor has stated there is no current evidence that passwords, dates of birth, Social Security numbers, or financial information were compromised, though the investigation is ongoing, and that assessment may change.

Cybersecurity experts are warning that even the data categories confirmed as exposed create real risk. Names and email addresses combined with student ID numbers are sufficient for targeted phishing campaigns, and private messages could be leveraged for social engineering. Institutions that rely on this vendor as a third-party service provider still bear significant responsibility to their students, faculty, and staff, and must act now.

Recommended Response Steps for Affected Institutions

Once your institution has confirmed it is among those affected, initiate your Incident Response Plan (IRP) immediately.

The following steps reflect CampusGuard’s general guidance for responding to a third-party vendor breach of this nature:

1. Consult Legal Counsel Immediately
Review your institution’s contract with the vendor, specifically any language governing data breach notification responsibilities, indemnification, and credit monitoring obligations. Key questions include:

• Is the vendor contractually obligated to notify impacted individuals directly, or does that responsibility fall to your institution?
• What are your state’s specific data breach notification requirements and deadlines?
• If FERPA-protected student records were involved in the exposure of private messages or student IDs, what additional notification or reporting obligations apply?
• Does your institution’s contract require the vendor to cover costs associated with remediation or identity protection services for affected individuals?

2. Notify Your Risk Management Office and Review Cyber Insurance Coverage
Engage your risk management office and insurance carrier as early as possible. Determine whether your cyber insurance policy covers third-party vendor breaches, what documentation is required to file a claim, and whether any notification deadlines could affect coverage eligibility.

3. Coordinate Communications — Internal and Public
Work with your communications team and legal counsel to develop clear, vetted messaging for your campus community. Given that many students may have already encountered unexpected or alarming messages when attempting to log in to the platform, proactive communication is especially important to prevent panic and misinformation. A well-crafted campus announcement should include:

• What happened: Your institution was notified by your learning management system provider of a data security incident affecting its systems and thousands of institutions globally.
• Who may be impacted: Current and potentially former students, faculty, and staff who have accounts on the affected platform at your institution.
• What data was involved: Based on current information, names, email addresses, student or employee ID numbers, and private messages within the platform may have been exposed. Passwords, financial data, and government ID numbers do not appear to have been compromised at this time.
• Steps your institution has taken: Actions such as temporarily disabling platform access, removing third-party integrations, or coordinating with the vendor’s security team.
• What affected individuals should do: Be alert for phishing emails or unexpected messages that reference this incident, your institution, or use your personal information. Do not click suspicious links. Monitor your email account for unusual activity. The vendor will be providing direct notifications to impacted individuals as its investigation continues.
• Where to get updates and who to contact: Provide a dedicated email address or webpage for ongoing updates and community questions.

Many institutions across the country have already issued communications to their communities about this type of incident. Review publicly available examples for tone and substance as a helpful reference point.

4. Make Decisions About Support Services and Operational Continuity
Your institution’s response team and leadership must determine several practical questions, including:

• Will your institution provide identity monitoring or protection services to affected students and staff, and if so, who bears that cost?
• Should a staffed helpline be established for community members with questions?
• If the platform remains unavailable or access is restricted, what alternative platforms or communication channels will be used to maintain academic continuity, particularly critical for institutions with final exams approaching?
• Do not pay the ransom. Cybersecurity experts and law enforcement universally advise against it. Payment does not guarantee data deletion and may expose the institution to additional legal liability.

5. Actively Monitor the Vendor’s Investigation and Communications
Press the vendor for specific details: which of your users were affected, what data was accessed, how the vulnerability was remediated, and what safeguards are being put in place. The vendor has established a dedicated security incident update page; ensure the appropriate IT and security personnel at your institution are subscribed to real-time updates. The scope of the breach and the data involved may expand as the forensic investigation matures.

6. Protect Your Community from Secondary Threats
This breach creates a fertile environment for follow-on attacks. Cybercriminals who acquire names, email addresses, and student ID numbers, or who purchase that data, may use it to craft highly convincing phishing emails impersonating your institution or the affected platform. Proactively alert your campus community to:

• Be suspicious of any unsolicited emails referencing this breach, offering “account recovery,” or requesting login credentials.
• Avoid clicking links or downloading attachments from unexpected messages, even if they appear to come from a known sender.
• Report suspicious messages to your institution’s IT security team.
• Do not attempt to access the affected platform through unofficial links or bookmarks. Use only institutionally-approved access points as directed by IT.

FERPA Implications: If private messages or student records that fall under FERPA protection were accessed, your institution may have additional federal reporting and notification obligations. Consult legal counsel familiar with FERPA compliance to determine the appropriate response and timeline.

Looking Ahead: Strengthening Third-Party Vendor Oversight

This incident is a stark reminder that your institution’s security posture is only as strong as that of the vendors you depend on most. A platform used daily by your entire student body, faculty, and staff represents a high-value, high-impact target, and this incident reflects an alarming trend of threat actors specifically seeking out widely-adopted education technology providers to maximize their leverage.

Once the immediate response is underway, institutions should evaluate whether their existing vendor risk management frameworks are adequate. This means ensuring all service providers are properly vetted before onboarding, that contracts contain meaningful breach notification and liability provisions, and that ongoing monitoring and periodic security assessments are conducted, particularly for platforms with access to student records and communications.

Practice Makes Prepared

If your institution has not yet experienced a real-world third-party breach, we strongly encourage you to conduct a tabletop exercise simulating a scenario like this one. Walking your response team, legal counsel, communications staff, and IT leadership through the decision points together, before an incident occurs, is one of the highest-impact investments you can make in your institution’s resilience.

We are actively supporting customers in assessing their exposure and refining their incident response plans. Please don’t hesitate to reach out to your dedicated CampusGuard team with questions or for assistance in reviewing your vendor agreements and incident response documentation. Contact us to learn more and get started.