Security

The Canvas Breach: What K–12 Leaders Need To Know About Third-Party SaaS Risk

Districts should map the data that software-as-a-service-plaforms as well as the systems that connect to them.

Amy McIntosh is the managing editor of EdTech: Focus on Higher Education and EdTech: Focus on K–12.

Cybercriminal group ShinyHunters has executed one of the largest educational data breaches on record, targeting Instructure, the company behind learning management system Canvas.

Instructure detected unauthorized activity on April 29. On May 2, the company reported that it had “revoked privileged credentials and access tokens associated with affected systems, deployed patches to enhance system security,” rotated certain keys and increased monitoring efforts across all platforms. On May 7, a second wave of activity occurred when some users reported seeing extortion messages when logged in to the platform.

ShinyHunters claims to have stolen more than 6.65 terabytes of data from Instructure. Instructure said the group exploited a vulnerability in the Canvas Free for Teacher service, impacting 8,809 educational institutions globally, including both higher education institutions and K–12 schools. The stolen data includes approximately 275 million records and consists of names, email addresses, student ID numbers and private messages between students, teachers and staff. Steve Proud, Instructure’s CISO, said in a statement that there was no evidence of passwords, dates of birth, government identifiers or financial information being involved. The group has set a May 12 deadline to negotiate a settlement or it has threatened to leak stolen data.

Click the banner below for resources to secure your student data.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

How Should K–12 Schools Respond?

K–12 districts depend on Canvas not only for instruction but also for communication between teachers, students and families. The immediate operational impact has been missed assignments, disrupted learning workflows and confusion. Longer-term, the stolen data could be used to create convincing phishing, impersonation and social engineering campaigns.

The Canvas breach is a third-party risk event, and remediation must be treated accordingly, says Walt Powell, lead field CISO at CDW.

“If a district uses Canvas, connects it to its student information system, enables SSO, integrates third-party learning tools, and allows sensitive communications inside the platform, then the district has an exposure footprint that extends beyond its own network,” Powell says.

Powell says districts should map their risk across two axes: data residency and integration risk.

DISCOVER: A clear roadmap helps K–12 districts achieve cybersecurity maturity.

On the data residency side, consider what types of data live in Canvas. This includes student names, school email addresses, student IDs, course enrollments, teacher-student messages, parent communications, accommodation-related communications, disciplinary conversations, health-related notes and operational messages.

On the integration side, think about the systems that connect to Canvas. These include student information system connectors, single sign-on tools, Learning Tools Interoperability tools, digital textbooks, plagiarism tools, assessment tools, content providers, analytics platforms, data warehouses and Canvas Data 2 pipelines. Instructure’s status page showed Canvas Data 2, Canvas Beta, and Canvas Test under maintenance during the incident response, and Instructure reissued certain application keys, requiring users to reauthorize affected integrated tools.

Districts should immediately confirm whether they received direct notification from Instructure, preserve relevant logs, review admin activity, and enforce multifactor authentication for privileged Canvas and identity accounts. They should also rotate local Canvas API tokens where appropriate, review third-party LTI and developer key usage, and monitor for phishing that references Canvas, assignments, grades, teachers, courses or student IDs.

Instructure has recommended normal monitoring of Canvas environments, integrations and administrative activity, and said it will communicate directly if a specific action is required by the customer.

“In the next few days, districts should stabilize instruction, validate integrations and communicate phishing guidance,” Powell says. “In the next few weeks, they should build an exposure register and review vendor obligations. In the next few months, they should mature SaaS governance, third-party risk management, data retention, incident playbooks and contract language.”

When communicating with parents and the community about the breach, Powell suggests, do so early, clearly, and carefully to mitigate assumptions and panic from the public.

“The right posture is transparency with boundaries: Here is what Instructure has confirmed, here is what remains under investigation, here is what the district is doing, and here is what students, parents, and staff should watch for,” he says.

For districts seeking help managing third-party incidents, guidance is available.

“CDW can help districts translate a vendor incident into a practical response plan: exposure mapping, SaaS risk review, identity and access review, integration inventory, third-party risk support, phishing readiness, tabletop exercises, and communication planning,” Powell says.

JuSun/Getty Images