Register for the EDUCAUSE Annual Conference today. Extra 25% off in-person registration, through July 8. →

How Higher Education Is Responding to the Canvas LMS Incident and Preparing for What's Next

Authors:
Isaac Galvan, Susan Bouregy, Joshua Gonzalez and John Virden
Published:
Monday, May 11, 2026
Columns:
Cybersecurity and Privacy
min read


A recent ransomware attack on Instructure's Canvas LMS has raised concerns across the higher education community about cybersecurity, data privacy, third-party risk, and institutional preparedness. More than 950 EDUCAUSE community members joined an EDUCAUSE QuickTalk webinar to discuss campus impacts, share questions, and explore how institutions are responding.

Credit: Skorzewiak / Shutterstock.com © 2026

The recent ransomware incident affecting Instructure's Canvas LMS has raised urgent questions across the higher education community about cybersecurity risk, privacy, and resilience. Instructure has confirmed that a criminal threat actor exploited an issue with Free-For-Teacher accounts in late April, prompting an internal investigation. "The data fields involved include information like usernames, email addresses, course names, enrollment information, and messages," Steve Daly, CEO of Instructure, said. "Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected."Footnote1

Subsequent additional unauthorized activity led to a temporary system-wide Canvas outage on May 7.

More than 950 EDUCAUSE community members joined a QuickTalk webinar on May 8 to discuss campus impacts and evolving information.Footnote2 The discussion raised both immediate operational questions and broader concerns about third-party risk, data security, and institutional preparedness. What follows is a synthesis of those questions and ways peers are thinking about and addressing them.

Community Discussion

Are institutions reconnecting SIS (student information systems) and LTI (learning tools interoperability) integrations?

Instead of a coordinated pause, institutions are making local decisions based on their own risk tolerance and operational needs (see figures 1 and 2).

What Campus Security and Leadership Teams Are Doing

  • Disconnecting the SIS and LTI during finals for safety.
  • Staying connected (with increased monitoring) to avoid disruption during finals week.
  • Rotating API and SSO keys as a precaution.
  • Monitoring MFA/SSO login attempts.
  • Redirecting their Canvas landing pages to communicate with users.
  • Focusing on vendor-provided information to determine next steps.
Figure 1. Has your institution re-enabled Canvas?
Figure 2. Are you reintegrating LTIs (not APIs)?

Is there clarity on what specific data were exposed?

Participants discussed risks associated with unstructured data in Canvas messages, noting that free-text content could increase exposure. They also pointed to challenges in understanding the scope of the incident, including questions about what data was involved, whether recent phishing attempts might be connected, and whether test environments containing production data may have been exposed (see figures 3 and 4).

What Campus Security and Leadership Teams Are Doing

  • Checking with IT teams about what data and identifiers are loaded when users are created. There might be a combination of student ID and other back-end IDs.
  • Waiting for further clarification from the vendor before making definitive claims.
  • Internally assessing which categories of data would pose the highest risk if exposed and what privacy laws and notification requirements are implicated based on user geographic information.
  • CISOs are concerned about self-service password resets in cases where an sis_id is compromised.
Figure 3. Have you noticed an uptick in phishing since the first incident?
Figure 4. Has anyone reported any data integrity issues?

Are institutions notifying the Department of Education of a potential FERPA issue? Will Instructure be required to issue a FERPA notice?

Several institutions said they are waiting for clearer information about the scope of the breach before taking formal action. Some are deferring to Instructure, which has said it will make all applicable legal and regulatory notifications.Footnote3

In addition, EDUCAUSE has been communicating with the Department of Education, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). EDUCAUSE will continue to update members as more information becomes available.

What Campus Security and Leadership Teams Are Doing

  • Consulting legal counsel and internal compliance teams.
  • Monitoring guidance from EDUCAUSE, the Department of Education, CISA, and the FBI.
  • Informing cyber insurance carriers. The carrier may have advice on communicating with victims and on the response process.
  • Revisiting disaster recovery and emergency operation plans, as circumstances may continue to evolve—sometimes quickly.

How are institutions maintaining academic continuity?

Participants asked how their peers were determining when to issue an "all clear" before reintegrating tools and how to approach requests from students to remove all of their information from Canvas.

What Campus Security and Leadership Teams Are Doing

  • Allowing integrations to return "organically" while monitoring for anomalies.
  • Creating contingency workflows in case of platform disruption.
  • Executing their incident response plan and maintaining regular communication with affected users regarding platform availability and academic program impacts.

Other Notable Practices

  • Help faculty and students develop a backup plan and business continuity plan if Canvas is not available. Advise faculty to take the following precautionary measures:
    • Export student lists with email addresses.
    • Identify an alternative way to communicate with students.
    • Ask students to download their course materials from Canvas so they have local copies if needed.
    • Create a shared folder with course materials and share it with students.
    • Switch to oral papers, online presentations, or papers/projects submitted by email instead of Canvas exams.
    • Download ungraded assignments from Canvas.
    • Export gradebooks into a spreadsheet.
    • Share updated plans with students.

    What should institutions do to prepare for the next threat deadline (May 12)?

    The FBI Cyber Division recommends against sending payments or responding to demands from anyone claiming to have data. It also advises concerned people to await further guidance from their educational institution about the scope and nature of the data that may have been exposed.Footnote4

    Participants emphasized the need to move from immediate response to longer-term readiness, with coordination across IT, legal, communications, and academic leadership teams.

    What Campus Security and Leadership Teams Are Doing

    • Developing or revisiting incident response, business continuity, and disaster recovery plans with all stakeholders.
    • Preparing for potential student or stakeholder notification.
      • If the vendor does not notify any state or attorney general on an institution's behalf, the institution may need to notify state, federal, and international data-protection authorities as well as victims. Notification thresholds depend on the nature of the data accessed, regulatory requirements, and student expectations.

    Next Steps

    Participants asked whether EDUCAUSE should engage directly with Instructure on behalf of higher education institutions and about the value of a more coordinated group response. Many members expressed strong interest in closer collaboration, including coordinated engagement with Instructure, guidance on log access and forensic validation, and the development of shared resources such as API key rotation practices. They also noted the importance of notifying cyber insurance carriers and continuing to collaborate with Internet2 if your institution contracts Canvas through its Net+ program. EDUCAUSE indicated its willingness to help facilitate these conversations as institutions navigate the operational, legal, and strategic implications of this incident and the broader cybersecurity landscape.

    Notes

    1. "Security Incident Update & FAQs," Instructure, accessed May 9, 2026. Jump back to footnote 1 in the text.
    2. Susan Bouregy, Isaac Galvan, Joshua Gonzalez, and John Virden, "What We Know About the Instructure Incident: Cybersecurity, Privacy, and Risk and Your Open Questions," EDUCAUSE Member QuickTalk, May 8, 2026. Jump back to footnote 2 in the text.
    3. "Security Incident Update & FAQs," Instructure. Jump back to footnote 3 in the text.
    4. FBI Cyber Division, "The FBI is aware of a service disruption affecting an online Learning Management System (LMS)," LinkedIn, May 9, 2026. Jump back to footnote 4 in the text.

    Isaac Galvan is Community Program Director, Cybersecurity and Privacy, at EDUCAUSE.

    Susan Bouregy is Chief Privacy Officer at Yale University.

    Joshua Gonzalez is Chief Privacy Officer at Ohio University.

    John Virden is Assistant Vice President for Security, Compliance and Risk Management, and Chief Information Security Officer at Miami University.

    © 2026 EDUCAUSE, Susan Bouregy, Joshua Gonzalez, and John Virden. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.