On May 12, 2026, the U.S. Department of Education issued a Technology Security Alert (GENERAL-26-27) regarding an active cybersecurity incident involving Instructure Holdings, Inc., the parent company of the Canvas Learning Management System. The breach, claimed by ransomware group ShinyHunters, exposed usernames, email addresses, course names, enrollment data, and messages at institutions worldwide. Attackers gained access through unmanaged Free-For-Teacher accounts that lacked multi-factor authentication (MFA).
Instructure has stated that passwords, government identifiers, and financial information were not exposed, but affected data may contain PII. ED’s Student Privacy Policy Office has engaged Instructure regarding FERPA compliance, and the incident remains active.
How to Report
If your institution received a ransom message, observed suspicious Canvas activity, or was notified by Instructure, report immediately through established ED channels:
- Web: Click Here
- Email: FSASchoolCyberSafety@ed.gov
Do not wait for a formal notice from Instructure. Timely self-reporting reflects sound institutional governance and supports the federal response effort.
Immediate Actions
FSA recommends the following steps. Treat these as a compliance checklist, not optional guidance:
- Enforce MFA on all systems, including faculty, staff, student, and administrator accounts.
- Disable unmanaged accounts. Remove Free-For-Teacher or other non-enterprise Canvas accounts.
- Review logs for suspicious activity, particularly between April 25 and May 8, 2026.
- Rotate Canvas integrations: LTI tools, SSO connectors, and API keys, per Instructure guidance.
- Validate third-party vendor agreements and confirm integration partners do not have unnecessary access to student data.
- Activate your incident response plan and prepare for inquiries from students, faculty, and staff.
Is Your GLBA Safeguards Policy Up to Date?
This incident is a direct illustration of the third-party vendor risk your GLBA Safeguards policy is designed to address. If your institution has not recently reviewed its written information security program, now is the time. Key areas to revisit include:
- MFA requirements across all administrative, faculty, staff, and student accounts.
- Vendor oversight, including a current inventory of every third-party platform with access to student data and documented periodic risk assessments.
- Qualified Individual oversight, confirming that monitoring, training, and access reviews are occurring on schedule.
- A tested incident response plan, with clear reporting responsibilities and timeframes.
McClintock & Associates can help you assess your current GLBA Safeguards policy and identify gaps before your next audit. Contact us to schedule a consultation.
______________________________
Sign-up for our newsletter to stay up to date.
