Canvas is used by thousands of colleges, universities, and school districts globally, meaning a breach at the platform level can expose student records across hundreds of institutions simultaneously, without any individual institution having taken a wrong step. Regulatory exposure is immediate and significant: U.S. institutions face FERPA notification obligations; institutions operating in the EU or handling EU student data face GDPR breach notification timelines of 72 hours to supervisory authorities. Reputational damage is compounded by the victim population — students, many of them minors — and the scale claimed, which, if confirmed, would make this one of the largest education sector breaches on record.
You Are Affected If
Your institution uses Instructure Canvas LMS and stores student PII (names, email addresses, enrollment data, grades, or communications) within the platform
Your Canvas tenant is connected to third-party integrations or LTI tools with broad read access to student data
Your institution uses Canvas Data 2 or Canvas API exports for analytics pipelines, increasing the volume of data accessible via API
Administrative or service account credentials for Canvas have not been rotated recently and may be exposed in credential databases
Your institution has not yet received a tenant-specific impact notification from Instructure
Board Talking Points
A criminal hacking group claims to have stolen data from Instructure Canvas, the learning platform used across our institution, potentially exposing student and faculty records at scale.
We are conducting an immediate audit of our Canvas access credentials and integrations and have contacted Instructure for a tenant-specific impact assessment — we expect preliminary findings within 48 hours.
Without prompt action, the institution faces mandatory breach notification obligations under FERPA and potentially GDPR, along with significant reputational harm to students and families who trust us to protect their data.
FERPA — Canvas stores student education records; unauthorized disclosure of student PII triggers FERPA breach notification obligations for U.S. educational institutions
GDPR — Institutions with EU student or faculty data face 72-hour supervisory authority notification requirements if personal data of EU data subjects was exfiltrated
COPPA — If Canvas is used in K-12 settings serving children under 13, exfiltration of those records triggers COPPA obligations for U.S. operators
