The Instructure Canvas incident: What happened and what's next?

In early May 2026, Instructure, Inc. (Instructure), the operator of the learning management Canvas software, experienced a network security incident that had a widespread impact on educational institutions across the United States, Europe, Canada, and Australia. Instructure is a private, Utah-based company founded in 2008 with a reported revenue in 2023 of $530.2 million, and the company reportedly aims to reach $1 billion in revenue by 2028. Instructure states that it has over 8,000 customers, including K-12 schools and college, with over 19 million “unique visitors” on an annual basis, which is used in over 100 countries.

What happened?

On May 6, 2026, the Canvas platform had an outage for approximately six hours, and certain users subsequently experienced intermittent issues or restricted access. During this time, certain students and faculty received ransom notes from the ShinyHunters threat actor group on their Canvas login screens that claimed that Canvas had been breached and user data would be leaked if the ransom was not paid. On May 7, 2026, Instructure reported on its website that Canvas was available for most users. Instructure further stated that it “will continue to provide updates as appropriate through other channels and is now communicating directly with impacted customers to provide organization-specific information and support.” In the meantime, certain institutions across the country are publishing notices regarding the incident.

How should affected educational institutions respond?

Educational institutions affected by the Canvas incident may be required to notify their involved users, as well as respective State Attorneys’ Generals, and potentially consumer reporting agencies under certain U.S. state data breach notification statutes. Additionally, certain K-12 institutions may be required to comply with certain record requirements under the Family Educational Rights and Privacy Act (FERPA).

To comply with applicable U.S. state data breach notification laws, Instructure, as the service provider, is required to provide the affected educational institutions (i.e., the data owners) with the involved users’ names and associated data elements that were accessed and/or acquired in the incident. Users generally include students, faculty/employees, and students’ parents. The Utah System of Higher Education reported on May 8, 2026, that according to Instructure, “the incident resulted in the compromise of names, email addresses, student ID numbers, and user messages[,]” where Instructure “does not believe that passwords, dates of birth, government identifiers, or financial information were compromised.” Generally, such limited information does not trigger notification under U.S. data breach notification statutes; however, the extent of information contained in the user messages will need to be reviewed further to assess whether any additional personal information was contained in the messages.

At this point, most affected educational institutions will remain in a holding pattern to hear further from Instructure regarding the names of individual users and their data elements involved, as well as whether Instructure may notify individuals on behalf of the affected institutions. Upon receipt of this information, affected institutions will be able to assess what, if any, legal obligations they have as a result of this third-party incident.

Next steps

Educational institutions affected by the incident should assess whether they need to notify their cyber/privacy carrier regarding any first-party and potential third-party coverage afforded under their policy. Consulting with the broker of the policy can assist with this decision.

Additionally, the affected entities should engage their Incident Response Plan (IRP), including consulting with outside legal counsel to assist with any required response, including potential notice obligations. Outside legal counsel can provide attorney-client privilege over the affected entity’s investigation of the incident. Additionally, as many affected entities face now, outside legal counsel can help with legally voluntary, but operationally necessary, communications to students, parents, employees, trustees, and other involved parties regarding the incident and next steps.

Further, affected institutions should follow their Business Continuity Policy (BCP)/Disaster Recovery Plan (DRP), as well as Instructure’s recommended steps with respect to Canvas security, including “enforcing [multi-factor authentication (“MFA”)] on privileged accounts, reviewing admin[istrative] access, and rotating [Application Programming Interface (“API”)] tokens or keys where applicable.”

If you have any questions regarding your educational institution’s response to the Canvas incident, please reach out to the McDonald Hopkins’ national Data Privacy and Cybersecurity practice group.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

vestibule29