Instructure's decision to take Canvas offline eliminates course access across all 330 affected institutions simultaneously, disrupting exams, assignments, and grading workflows at the height of the academic calendar. If ShinyHunters publishes 280 million records after the May 12 deadline, affected institutions face breach notification obligations under FERPA and applicable state privacy laws, regulatory scrutiny, and potential litigation from students, staff, and families. The reputational damage from a public data dump at this scale — student names, grades, contact information, institutional communications — will be difficult to contain regardless of whether the ransom is paid.
You Are Affected If
Your institution uses Instructure Canvas as your LMS, whether hosted by Instructure (cloud) or via integration with Instructure's platform APIs
Your Canvas instance is integrated with your institutional SSO, SIS, or identity provider via OAuth, SAML, or API keys
Your institution is among the approximately 330 whose login portals were defaced — check for ransom notices on your Canvas login page
Your institution stores student PII, staff records, course data, or grades within Canvas or syncs this data to Canvas via API
Your institution has not yet rotated Canvas API credentials or audited OAuth token grants issued since April 2026
Board Talking Points
A criminal group has taken down Canvas — the learning platform used by hundreds of colleges and K-12 schools — and claims to hold 280 million student and staff records, demanding payment by May 12 or threatening public release.
Institutions using Canvas should immediately revoke API credentials, suspend third-party integrations, and prepare breach notification procedures in parallel while awaiting guidance from Instructure.
If the ransom deadline passes without resolution and data is released publicly, affected institutions face simultaneous regulatory, legal, and reputational consequences that will be significantly harder to manage reactively than proactively.
FERPA — Canvas stores education records (grades, enrollment, course communications) for students at covered institutions; a breach of this scope triggers FERPA breach notification obligations and potential DOE scrutiny
COPPA — K-12 institutions using Canvas may store data on students under 13, creating COPPA exposure if that data is among the exfiltrated records
State Student Privacy Laws (e.g., SOPIPA, NY Education Law 2-d, CA SOPPA) — numerous states have enacted student data privacy laws that impose breach notification and data use restrictions specifically on ed-tech platforms and their institutional partners
GLBA (Safeguards Rule) — institutions with financial aid data stored or accessible within Canvas may have GLBA exposure depending on data scope
HIPAA — if any Canvas instance stores health-related records (e.g., disability accommodation documentation in student profiles), HIPAA notification analysis is required
