An active, uncontained breach of the platform serving your institution's entire student and staff population creates immediate obligations: breach notification to potentially millions of individuals under FERPA, state student privacy laws, and GDPR where applicable, with associated legal costs, regulatory scrutiny, and reputational exposure. Operational continuity is directly at risk — Instructure disabled Canvas following the breach, meaning institutions may face extended loss of their primary course delivery and grading platform mid-semester. The scale of exposed PII, potentially hundreds of millions of records, makes this a high-value dataset for follow-on fraud, credential stuffing, and targeted spear-phishing against students, parents, and staff.
You Are Affected If
Your institution uses Instructure Canvas LMS (cloud-hosted) as a production platform for course delivery, grading, or student records
Your Canvas environment stores student, faculty, or staff PII including names, email addresses, institutional IDs, or academic records
Your institution has not received direct written confirmation from Instructure that your tenant was isolated and unaffected
Administrative or API credentials for Canvas have not been rotated since the breach was reported
Your institution relies on Canvas SSO or LTI integrations that share credentials or tokens with the compromised platform
Board Talking Points
An active breach of Canvas LMS, used by 8,800 institutions globally, puts hundreds of millions of student and staff records at ongoing risk — and the attacker reportedly still has access.
Institutions should immediately contact Instructure for tenant-specific status, rotate all Canvas credentials, and engage legal counsel to assess breach notification obligations under FERPA, state law, and GDPR.
Without immediate action, institutions risk regulatory penalties, notification costs, loss of student trust, and extended disruption to academic operations if Canvas remains unavailable.
FERPA — Canvas LMS is a primary repository of student educational records; unauthorized access to student PII triggers FERPA breach assessment and potential Department of Education notification obligations
COPPA — K-12 Canvas deployments may include data from students under 13, triggering FTC COPPA requirements for breach notification and parental disclosure
GDPR — Instructure serves institutions globally; EU student and staff PII exposure triggers 72-hour supervisory authority notification obligations under Article 33 for affected EU-based institutions
State Student Privacy Laws (e.g., SOPIPA, NY Education Law 2-d) — numerous US states impose specific breach notification and data protection obligations for student PII held by ed-tech vendors
