Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Exploitation is confirmed for two of three components — Instructure has acknowledged the Canvas breach and Marquis has sustained an active ransomware attack with downstream credential exposure across 74 financial institutions — while the Maine portal disruption is an active, documented disinformation campaign; compounded breadth across education, financial, and regulatory-infrastructure sectors elevates business impact to very_high because the simultaneous degradation of a public notification system, a 275-million-record education dataset, and shared financial vendor credentials creates intersecting operational, regulatory, and reputational consequences that no single sector can isolate.
Treatment rationale: Active, confirmed compromise with ongoing regulatory notification obligations and cascading third-party exposure makes deferral or transfer the only viable secondary lever; direct control action — vendor isolation, alternative notification channels, and credential rotation — is the only treatment that reduces the immediate blast radius.
Third-Party / Supply-Chain Risk
Marquis represents a high-concentration shared-service risk under NIST SP 800-161: a single vendor failure has simultaneously exposed 74 US financial institutions through shared credential infrastructure, consistent with a Tier 1 critical-dependency scenario where the acquiring organization has limited visibility into the vendor's internal controls. The Canvas breach introduces a secondary supply-chain vector for any institution using Canvas as a third-party LMS, with potential for credential reuse and phishing leverage against student and staff populations. The Maine AG portal disruption additionally degrades a shared public monitoring resource that many organizations depend on as an external threat intelligence feed, constituting an infrastructure-layer third-party dependency failure.
Loss Exposure (illustrative)
Magnitude: very high — illustrative $10M–$150M aggregate across directly affected institution classes; individual financial institution exposure illustratively $500K–$5M depending on customer PII scope and examination findings; individual university illustratively $1M–$10M depending on confirmed records affected and notification costs
Frequency: For a financial institution connected to Marquis: this is a realized event, not a frequency projection — loss realization is active. For an educational institution using Canvas: single realized incident with tail risk from secondary credential-stuffing campaigns likely to persist 12–24 months. For any organization that relied on the Maine AG portal as a monitoring resource: ongoing degraded intelligence posture until portal restoration.
Annualized: Insufficient basis for ALE framing given simultaneous multi-vector active events; annualized modeling is not meaningful when primary losses are in current realization phase.
Basis: Loss magnitude range derived from: notification cost per individual (labor, legal, credit monitoring) scaled against claimed population sizes; regulatory examination and potential fine exposure for financial institutions under GLBA; operational disruption costs for institutions requiring emergency vendor triage and credential rotation across 74 entities; reputational discount applied to education sector where student trust is a long-cycle asset. No third-party loss reports cited. All figures are illustrative and scenario-constructed.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Marquis ransomware event and downstream credential exposure at financial institutions may invoke cyber-insurance notice obligations under business interruption and third-party liability coverages — verify with broker.
• Canvas breach affecting student and staff PII at covered educational institutions may invoke FERPA-related contractual breach provisions in vendor agreements — verify with counsel.
• Financial institutions affected via Marquis may face notice obligations under the GLBA Safeguards Rule and state financial privacy statutes — verify with counsel.
• Maine AG portal disruption caused by fabricated filings may implicate Computer Fraud and Abuse Act (CFAA) or equivalent state computer-crime statutes for the filing party — verify with counsel.
• 275-million-record Canvas exposure, if confirmed at scale, may invoke multi-state breach notification statutes and potentially COPPA obligations if minors are included in affected populations — verify with counsel.
