Security

The Canvas Breach: Reframing Higher Ed’s SaaS Risk Exposure

Institutions should map the data residing in software-as-a-service platforms as well as the systems that connect to them.

Amy McIntosh

Amy McIntosh is the managing editor of EdTech: Focus on Higher Education.

Cybercriminal group ShinyHunters has executed one of the largest educational data breaches on record, targeting Instructure, the company behind learning management system Canvas.

Instructure detected unauthorized activity on April 29. On May 2, the company reported that it had “revoked privileged credentials and access tokens associated with affected systems, deployed patches to enhance system security,” rotated certain keys and increased monitoring efforts across all platforms. On May 7, a second wave of activity occurred when some users reported seeing extortion messages when logged in to the platform.

ShinyHunters claims to have stolen more than 6.65 terabytes of data from Instructure. Instructure said the group exploited a vulnerability in the Canvas Free for Teacher service, impacting 8,809 educational institutions globally, including both higher education institutions and K–12 schools. The stolen data includes approximately 275 million records and consists of names, email addresses, student ID numbers and private messages between students, teachers and staff. Steve Proud, Instructure’s CISO, said in a statement that there was no evidence of passwords, dates of birth, government identifiers or financial information being involved. The group has set a May 12 deadline to negotiate a settlement or it has threatened to leak stolen data.

Click the banner below for resources to secure your student data.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

How Should Higher Ed Institutions Respond?

Canvas is a popular learning management system in higher education. On EdTech reports that in 2023, Canvas held 41% of the U.S. market share by institution count, and 50% of the market share in 2024 when scaled by enrollment. The Canvas breach is a third-party risk event, and remediation must be treated accordingly, says Walt Powell, lead field CISO at CDW.

“Treating it like a traditional campus security failure will lead institutions to focus on the wrong remediation,” he says. “The right question is not only, ‘How do we harden Canvas?’ but, ‘What does our exposure footprint look like given what we put into Canvas and connected to Canvas?’”

Powell says institutions should map their risk across two axes: data residency and integration risk.

DISCOVER: Learn five ways to boost cybersecurity maturity in higher education.

On the data residency side, institutions need to determine whether Canvas contained Family Educational Rights and Privacy Act-regulated records, personally identifiable information, advising communications, accommodation-related communications, research-related course data, student conduct communications, graduate program communications, faculty-student messages, or operational communications.

On the integration side, institutions need to map student information system, single sign-on tools, Learning Tools Interoperability tools, developer keys, Canvas Data 2 pipelines, analytics platforms, data warehouses, identity providers, digital content vendors, plagiarism tools, proctoring tools, video platforms and custom middleware.

Affected institutions should confirm notification status, preserve logs, validate SSO and Canvas admin activity, review developer keys and tokens, inventory LTI tools, validate SIS and Canvas Data 2 pipelines, assess data notification obligations, and prepare targeted communications.

“The first days are about containment, validation, communications and academic continuity,” Powell says. “The first weeks are about exposure mapping, vendor accountability, legal and regulatory review, and integration validation. The next months are about SaaS governance, data minimization, third-party risk, contract remediation and tabletop exercises.”

“CDW can help higher ed institutions build a SaaS exposure register, assess identity and integration risk, support vendor risk reviews, evaluate third-party risk program maturity, map data flows, review incident response readiness, and develop executive-ready communication materials,” he adds.

JuSun/Getty Images