Canvas Data Breach: Data Privacy Implications for IHEs

• In early May 2026, criminal threat actors gained unauthorized access to the Canvas LMS and claimed to have exfiltrated 3.65 TB of data.  The threat actors issued ransom demands first targeting Instructure, the company that owns and operates Canvas, and then targeting over 300 IHEs. 

• Though the immediate threat against IHEs appears to have been resolved through an “agreement” reached between Instructure and the cybercriminals, affected IHEs should continue to implement their breach response protocols and carefully assess applicable reporting and notification obligations. 

In early May 2026, cybercriminals breached the Canvas learning management system (LMS), operated by Instructure, and perpetrated the largest known cybersecurity incident affecting higher education to date.  The threat actors claimed to have taken 3.65 TB of data from Instructure’s system, which is used, in some estimates, by half of all American postsecondary students.  Moreover, the Canvas breach disrupted academic continuity for many IHEs, hitting at the end of the Spring semester while many students were preparing for or taking final exams. 

Importantly, the situation surrounding this security incident may remain dynamic for some time.  The article will focus, accordingly, on the considerations that should be top of mind for IHEs now related to data privacy compliance. 

What Happened?

The 2026 Canvas breach appears to have unfolded in two phases.  First, on May 2, 2026, Instructure notified its customers that it had detected and taken steps to remediate unauthorized access to its systems that maybe have involved information about users of the Canvas LMS, including usernames, email addresses, course names, enrollment information, and messages sent between users within the LMS system.  On May 3, 2026, threat actors claimed to have exfiltrated 3.65 TB of data and issued a ransom demand targeting Instructure with a May 6, 2026 deadline. 

Then, on May 7, 2026, a day after Instructure indicated that the breach of its systems had been resolved, the threat actors again gained unauthorized access and defaced the user login pages of over 300 institutions, redirecting users to a message containing a link to a list of affected institutions and a demand, with a May 12, 2026 deadline, that those institutions reach out to negotiate a settlement or face the disclosure of the exfiltrated data. 

With a new deadline looming, on the evening of May 11, 2026, Instructure issued an update stating that it had “reached an agreement with the unauthorized actor involved in this incident.”  Though noting that “there is never complete certainty when dealing with cyber criminals,” the update stated that the data was “returned” to Instructure, that Instructure had “received digital confirmation of data destruction (shred logs),” and that Instructure had received assurances that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”  Instructure’s update stated further that the agreement covered “all impacted Instructure customers” and that “there is no need for individual customers to attempt to engage with the unauthorized actor.” 

What Data Was Involved?

As of its update on May 8, 2026, Instructure confirmed that “the data fields involved include information like usernames, email addresses, course names, enrollment information and messages.”  However, the update also noted that “core learning data (course content, submissions, credentials) was not compromised.” 

Instructure’s Incident Update page also noted that the company was working with forensic analysts “to conduct a comprehensive e-discovery exercise on the data that was involved so that we can provide customers with further specificity.”  It noted that it expected this latter comprehensive review to take weeks to complete. 

Data Breach Reporting Requirements

Given the number of jurisdictions domestically and internationally that have enacted regulations pertaining to the protection of personal information, the task of identifying all of an IHE’s reporting obligations may be quite complex.  The following points outline only some of the more prominent potentially relevant regulatory considerations or frameworks. 

U.S. Federal. In the patchwork approach of U.S. federal privacy regulation, three areas merit immediate consideration. 

• FSA Reporting. The “enrollment information” involve in the breach might trigger provisions of the IHE's Title IV Program Participation Agreement and ED's Student Aid Internet Gateway (SAIG) agreement.  On May 12, 2026, FSA issued an electronic announcement, (General-26-27) Technology Security Alert – Ongoing Cybersecurity Incident Involving the Canvas Learning Management System, noting that ED had been in communication with Instructure regarding the breach.  The announcement included the guidance, “If your institution receives a ransom message, threat communication, or evidence of unauthorized access through Canvas, please report immediately.”

• FERPA Obligations.  Although FERPA does not contain a breach notification requirement, unauthorized disclosure of education records could still raise FERPA concerns, and IHEs must maintain a record of the “disclosures.” The U.S. Department of Education’s (ED) Student Privacy Policy Office also suggests that IHEs should take “appropriate” steps to address the breach, which might be interpreted to include notification to affected students.  Finally, ED could evaluate whether Instructure satisfied required standards for the use and protection of education records as a “school official” under FERPA. 

• GLBA Safeguards Rule. As guidance from the U.S. Department of Education (ED) has noted, IHEs must comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.  While the GLBA Safeguards Rule does not contain any express data breach reporting requirements, it requires IHEs to maintain a written data breach response plan, which must address external communications and reporting.

U.S. State Reporting. Every U.S. state (including the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam) has a breach notification law.  These laws differ widely, however, in their definitions of “personal information,” the triggers for the notification requirements (e.g., no harm required vs. defined harm standards), notification timelines, attorney general notification requirements, and potentially other requirements. 

International Reporting. A growing number of jurisdictions internationally have laws that require IHEs to report data breaches involving the personal information of individuals located or residing within the jurisdiction, and many of these laws apply extraterritorially to breaches that occur within the U.S.  

• EEA GDPR.  For data breaches involving Personal Data protected by the General Data Protection Regulation (GDPR), where that data relates to individuals located within the European Economic Area (EEA), IHEs must notify the appropriate EEA supervisory authority without undue delay and no later than 72 hours after becoming aware of the date breach, unless the data breach is unlikely to result in risk to individuals’ rights and freedoms.  Additionally, IHEs must notify affected individuals whose Personal Data is protected by the GDPR without undue delay if the data breach is likely to result in a high risk to such individuals’ rights and freedoms.

• PRC PIPL.  For data breaches involving Personal Information protected by the People’s Republic of China’s Personal Information Protection Law (PRC PIPL), IHEs must immediately notify the Chinese National Cyberspace Department. IHEs must also immediately notify affected individuals whose Personal Information is protected by the PIPL, unless the IHE’s protective measures can effectively avoid the harm caused by the data breach.

Considerations for OGC

In the hours and days after Instructure was able to restore normal Canvas operations, institutional responses varied, as might be expected as so many IHEs activated their incident response protocols.  Some kept Canvas offline for further forensic analysis, which others updated login procedures and other security measures.  From a data privacy compliance perspective, the following are actions IHEs should undertake promptly in order to assess their reporting and notification obligations. 

• Assess relevant jurisdictions.  Identify the jurisdictions represented among your affected Canvas users.  Include jurisdictions from which students might commute to campus and jurisdictions represented in online programs.  Don’t forget to assess the residency of alumni, if your institution retains accounts for recent graduates. 

• Identify any vulnerable populations.  Determine whether your Canvas system is utilized by any camp programs that might involve cohorts of minors.  Consider whether any disability accommodation information might be readily discernable.  Identify whether any other potentially sensitive information might have been disclosed via assignments submitted or any communications within Canvas that might have been compromised. 

• Undertake harm assessments.  Because many potential reporting obligations depend upon an assessment of potential harms that might result from the disclosure, assess the range of potential harms now.