A breach of Canvas data exposes personal records for students, educators, and administrators across potentially thousands of institutions, including records for minors subject to FERPA and, in some cases, COPPA protections. Institutions face regulatory notification obligations, reputational harm with families and accreditation bodies, and potential civil liability if student data was inadequately protected. Operational disruption is lower in the near term, but loss of trust in a core instructional platform can drive costly procurement reviews and accelerate contract terminations.
You Are Affected If
Your institution uses Instructure Canvas as its learning management system (K-12 or higher education)
Your Canvas instance is integrated with third-party LTI tools or data pipeline services (e.g., Canvas Data 2)
Administrator, instructor, or student accounts in your Canvas environment use passwords shared with other services or do not enforce MFA
Your institution stores sensitive student records (grades, enrollment data, personal identifiers) within Canvas
Your institution has not audited API token and OAuth integration permissions in the past 90 days
Board Talking Points
Instructure's Canvas platform — used by roughly 9,000 schools — confirmed a data breach; our institution's student and staff records may be among those exposed.
IT and security teams should complete credential rotation and access audits within 48 hours; legal should assess FERPA notification obligations this week.
Delayed action risks regulatory penalties, notification costs, and reputational damage with students, families, and accreditors if affected records surface publicly.
FERPA — Canvas stores student educational records; unauthorized disclosure of those records triggers FERPA breach assessment and potential notification obligations for U.S. educational institutions
COPPA — K-12 use of Canvas may involve personal data of children under 13, creating potential COPPA obligations for institutions operating affected accounts
GDPR — Institutions in or serving users in the EU/EEA that use Canvas must assess whether this incident constitutes a personal data breach requiring supervisory authority notification within 72 hours under Article 33
