Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because ShinyHunters has confirmed active exploitation with visible proof-of-impact (defacement of 330 portals), a named extortion deadline of May 12, and a credible history of large-scale data extortion campaigns; Instructure's decision to take Canvas offline confirms the breach is real and ongoing rather than theoretical. Impact is very high because simultaneous loss of the single LMS platform serving all 330 institutions at a critical point in the academic calendar is an operational crisis in itself, and threatened release of 280 million student and staff records creates compounding FERPA-driven notification obligations, state privacy law exposure, and multi-institution reputational harm that no single institution can contain unilaterally.
Treatment rationale: The breach is active and the harm window is open until May 12 at minimum — avoidance is no longer possible, transfer cannot eliminate the notification and reputational exposure already incurred, and acceptance is untenable given the regulatory obligations FERPA and state laws attach to confirmed PII exposure at this scale; mitigation — through parallel incident response, regulatory counsel engagement, and contingency course-delivery activation — is the only treatment that reduces further harm.
Third-Party / Supply-Chain Risk
Every affected institution's exposure is entirely mediated through a single third-party SaaS vendor (Instructure): institutions did not control the compromised environment, cannot independently verify the scope of exfiltrated data, and have no ability to restore platform availability without Instructure action. Under NIST SP 800-161, this represents a critical Tier 1 supplier concentration risk — a single vendor outage or breach cascades simultaneously to all 330 dependent institutions with no independent fallback. Institutions' data-processing agreements and vendor risk assessments with Instructure are immediately material to incident response, notification scope determination, and liability allocation.
Loss Exposure (illustrative)
Magnitude: very high — illustrative $2M–$15M per affected institution at the upper tail; $200K–$2M illustrative range for a mid-size institution, driven by notification costs across a large student/staff population, regulatory response, and remediation
Frequency: This is a singular event already in progress, not a frequency-modeled risk; the relevant framing is depth of loss within the current incident window, not annualized recurrence probability
Annualized: Insufficient basis for ALE framing — this is an active, singular third-party breach event, not a recurring independent risk; annualizing would misrepresent the nature of the exposure
Basis: Loss magnitude range is derived illustratively from the following cost drivers specific to this incident: (1) per-record notification and credit-monitoring costs applied to a large student/staff population, (2) legal and regulatory counsel engagement across multiple state jurisdictions simultaneously, (3) operational disruption costs from Canvas outage during exam periods including emergency alternative delivery, (4) potential regulatory fines or corrective action costs under FERPA, and (5) reputational harm quantified only at the low end of the range. No third-party benchmark reports were referenced. Figures are illustrative only.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed PII exfiltration affecting student and staff records may invoke cyber-insurance first-party breach-response coverage (forensics, notification, crisis communications) — verify trigger conditions and notice deadlines with broker immediately.
• 280 million records involving minors and FERPA-protected education records may invoke state breach-notification statutes in every state where affected students reside — verify applicable statutes, thresholds, and notification timelines with counsel.
• FERPA-regulated data exposure at institutions receiving federal funding may trigger U.S. Department of Education notification or reporting obligations — verify with counsel.
• Vendor data-processing agreements between each institution and Instructure likely contain breach-notification and liability provisions that are now activated — verify contractual obligations and indemnification scope with counsel.
• Third-party cyber-liability claims from students, staff, or partner institutions may implicate institutional umbrella or errors-and-omissions policies — verify coverage scope with broker.
