Instructure's Canvas LMS is used for course delivery, grading, communications, and student records at thousands of U.S. institutions; an extended outage or confirmed data breach creates immediate operational disruption to academic continuity and potential exposure of student personally identifiable information protected under FERPA. If student records, grades, or communications were accessed, affected institutions face regulatory notification obligations and reputational risk with students, parents, and accreditation bodies. Until Instructure discloses the full breach scope, institutions cannot accurately assess their legal exposure or communicate authoritatively to affected students and staff.
You Are Affected If
Your institution uses Instructure's cloud-hosted Canvas LMS for academic operations
Your Canvas tenant stores student PII, academic records, or communications data
Your institution integrates Canvas with a Student Information System (SIS) or identity provider via API or SSO
Your institution has not yet received a breach scope notification from Instructure regarding your specific tenant
Administrative or service accounts with Canvas API access do not enforce MFA
Board Talking Points
A cyberattack on Canvas, the learning management platform used by thousands of U.S. universities, disrupted operations and may have exposed student data — including at institutions comparable to ours.
Leadership should direct IT and legal to request a formal breach scope disclosure from Instructure within 48 hours and assess FERPA notification obligations.
Without timely disclosure from Instructure, the institution cannot rule out student data exposure, which creates regulatory and reputational risk that grows with each day of silence.
FERPA — Canvas stores student education records including grades, course activity, and communications; unauthorized access to these records triggers FERPA breach assessment and potential notification obligations for affected institutions
