The Canvas Cyberattack: How Higher Education Can Improve Cybersecurity

Cloud-based systems have become foundational to how higher education operates, but they also introduce a new level of third-party risk.

The recent ransomware attack impacting Canvas — one of the most widely used learning management systems globally — is a clear reminder even trusted, mission-critical vendors aren’t immune to disruption. The attack disrupted access to Canvas during one of the busiest periods of the academic year and raised serious concerns about student and institutional data exposure.

What’s known so far about the Canvas cyberattack

According to Canvas owner Instructure and multiple reporting sources, the compromised information may include:

• Names
• Email addresses
• Student ID numbers
• Messages exchanged within Canvas

At this time, Instructure says there’s no evidence passwords, Social Security numbers, financial information, birth dates, or government-issued identifiers were exposed.

The attackers reportedly altered Canvas login pages and displayed extortion messages demanding payment before a stated deadline. In response, Instructure temporarily placed portions of the Canvas platform into maintenance mode while investigating and applying mitigations.

The incident affected approximately 275 million users across nearly 9,000 universities, colleges, and K-12 schools worldwide. Some institutions experienced outages during final exams and assignment submissions, creating operational challenges for faculty and students alike.

The impact of the Canvas cyberattack on higher education

Even though passwords and financial records may not have been compromised, the exposed data may still present significant cybersecurity risk.

Student and faculty email addresses, internal communications, and institutional identifiers can be weaponized for:

• Targeted phishing campaigns
• Credential harvesting
• Business email compromise (BEC)
• Social engineering attacks against students, faculty, and administrators
• Follow-on attacks against connected systems

Educational institutions remain attractive targets because they manage large volumes of sensitive personal information while often operating with decentralized IT environments and constrained security resources.

This incident also reinforces a growing reality in higher education cybersecurity: Third-party platforms can quickly become enterprise-wide operational risks.

Recommended actions for higher education institutions using Canvas

Organizations currently using Canvas should take immediate steps to reduce risk and prepare for potential downstream attacks. While a comprehensive set of actions, tailored for your organization, are beyond the scope of this article, here are some general recommendations higher education institutions can evaluate and execute at their discretion.

1. Increase monitoring for phishing activity

Expect an increase in phishing emails impersonating:

• Canvas
• University IT departments
• Faculty members
• Student services
• Financial aid offices

Attackers may use real student or faculty information to make phishing attempts appear legitimate.

Institutions should:

• Alert users to heightened phishing risk
• Reinforce reporting procedures
• Increase email security monitoring
• Review SPF, DKIM, and DMARC configurations

2. Enforce and verify MFA

If multi-factor authentication (MFA) isn’t universally enforced for Canvas-related accounts and federated identity systems, now is the time.

Institutions should:

• Require MFA for faculty, staff, and administrators
• Review privileged access accounts
• Audit single sign-on (SSO) integrations tied to Canvas

3. Review third-party integrations

Canvas environments are commonly connected to:

• Student Information System (SIS) platforms
• Identity providers
• Collaboration tools
• File-sharing systems
• Third-party educational applications

Security teams should review:

• API integrations
• OAuth permissions
• Service account access
• Vendor trust relationships

4. Prepare for credential reuse attempts

Even without password exposure, attackers frequently leverage phishing and password reuse after high-profile breaches.

Organizations should:

• Monitor for abnormal login activity
• Review impossible-travel alerts
• Check for credential stuffing attempts
• Encourage password changes where appropriat

5. Validate incident response readiness

This event is a reminder SaaS disruptions can rapidly impact academic continuity.

Institutions should confirm:

• Alternative communication channels exist
• Faculty understand continuity procedures
• Critical academic workflows can function during outages
• Incident response plans include third-party platform compromise scenarios

6. Engage vendors proactively

Higher education leaders should request clarity from Instructure and other vendors regarding:

• Scope of exposure
• Timeline of compromise
• Security control improvements
• Monitoring and notification procedures
• Third-party forensic findings

Vendor risk management shouldn’t stop at procurement.