Canvas Data Breach

In response to the Instructure (Canvas) hack and data theft incident, WOU is providing the following information related to recommendations that Universities take.

Review the Instructure’s Security Incident Update & FAQ.

Issue targeted phishing advisories to all Canvas users

UCS sent 3 different emails during and after the event (and the following week) warning users of phishing risks. This is a reminder that all users should complete Cybersecurity training that is available in Canvas. These trainings include modules targeting known phishing attacks. UCS will be deploying new cybersecurity reminders on the lock screens of campus computers starting 5/18. CTL also put a notification banner inside Canvas.

Confirm your organization can identify what data was housed in Canvas, which users are affected, and what breach notification obligations apply under FERPA, COPPA, and applicable state laws

  1. WOU’s General Counsel has reviewed our breach notification requirements and determined that no PII (SSN, DOB) is stored in Canvas. Only enrollment information and possibly canvas messages include FERPA data.
  2. Instructure is currently working with an external organization to conduct a forensic audit on each school impacted, and will communicate that info with us when it is complete. 

In general terms (not specific to WOU, or any particular courses or users) the data types that have been confirmed to have been accessed are:

  • Canvas Usernames
  • Email Addresses (potentially non-WOU addresses, if users have opted to have notifications sent to another email address)
  • Course Names (These include the course SISID/CRN)
  • Enrollment Information: Who is in which class and what their role is (Student, Teacher, etc.)
  • Private communications sent via Canvas Messages. This includes message history between students and instructors, as well as peer-to-peer and faculty-to-faculty messages within a course. These interactions are course-bound; students can only message those in their active sections/groups, while faculty can message any user enrolled in their courses.

Data types that Instructure says were not compromised are:

  • Course Content: Actual Pages, Files, and Modules
  • Submissions: Student work (papers, uploads, quiz attempts)
  • Student Grades
  • Disciplinary Records: Any administrative notes or conduct flags
  • User credentials and login passwords were not involved in this incident.

Confirm that incident response plans account for vendor-mediated breaches

UCS is utilizing the existing IRP to track this incident

Evaluate whether current vendor agreements for critical platforms require vendors to provide institution-specific forensic data during an incident

WOU’s General Counsel has confirmed that this is required. Instructure also promised to provide this information during the webinar on 5/13/26.

Assess your organization’s dependency on any single education technology platform and evaluate whether contingency plans exist for extended platform unavailability

WOU is highly dependent on Canvas as our primary educational technology platform. Instructure’s contracted service commitment includes a 99.9% uptime. https://www.instructure.com/policies/master-terms-and-conditions  Single vendor dependency will be one of the discussion topics during our post-incident review and ongoing. 

Rotate all Canvas API keys, OAuth tokens, LTI secrets, and Single Sign-ON (SSO) credentials, including any locally cached copies that touched Canvas during the exposure window

UCS and CTL disabled all the external tools that touch Canvas during the event. Before reenabling, WOU rotated all the appropriate keys and worked with vendors to ensure security.