Canvas Breach: What It Means for Schools & FERPA Compliance

When the Canvas login page was replaced with a ransom note on the morning of May 7, 2026, it did not look like a typical edtech outage. Students at Harvard, the University of Michigan, Duke, the University of Maryland, and thousands of other institutions opened their laptops in the middle of finals week and saw a message from a cybercrime group called ShinyHunters claiming it had stolen data on more than 275 million students and faculty across nearly 9,000 schools. By the afternoon, Instructure (Canvas’s parent company) had pulled the platform offline and replaced the portal with a notice that Canvas was “currently undergoing scheduled maintenance,” a description that struck many security professionals as misleading given the public ransom demand.

The Canvas data breach is the latest reminder that the edtech supply chain is now a primary target for extortion groups, and that a single compromise at a learning management system vendor can ripple across thousands of schools at once. This post walks through what we know about the Canvas hack, why ShinyHunters chose finals week, and how the incident intersects with the Family Educational Rights and Privacy Act (FERPA), the federal law that governs student data in U.S. schools.

What Happened: A Quick Timeline of the Canvas Breach

According to Instructure’s own status page and reporting from major media outlets, the Canvas breach did not start on May 7. The timeline runs roughly like this:

• September 2025: ShinyHunters publishes thousands of internal University of Pennsylvania files, later reported to involve a Canvas and Instructure access path. At the time, the incident is framed as a Penn-specific story.

• May 1, 2026: Instructure publicly discloses a cybersecurity incident perpetrated by a criminal threat actor.

• May 2, 2026: Instructure CISO Steve Proud states the incident has been contained.

• May 3, 2026: ShinyHunters publishes a ransom note threatening to leak data on more than 275 million people across nearly 9,000 schools.

• May 6, 2026: Instructure confirms the compromised data includes names, email addresses, student ID numbers, and Canvas messages, but says it has found no evidence that passwords, dates of birth, government IDs, or financial information were taken. ShinyHunters extends a leak deadline to May 12.

• May 7, 2026: The Canvas login page is defaced with a public ransom message. Instructure pulls the platform offline mid-day during final exams at many universities.

• May 8, 2026: Canvas is mostly restored. Instructure attributes the second intrusion to the same Free-for-Teacher account issue exploited the prior week and shuts those accounts down temporarily.

The pattern matters. Cloudskope CEO Dipan Mann argues the September 2025 Penn incident was effectively a proof of concept and that the May 2026 events were a planned escalation, not a one-off. ShinyHunters reinforced that view, claiming Instructure had ignored them and applied security patches rather than negotiating.

Who Is ShinyHunters, and Why Did They Target Canvas?

ShinyHunters is a loose, fluid cybercriminal collective that has been active since around 2020. Their playbook is data theft and extortion, often launched through voice phishing and social engineering aimed at IT staff or other trusted insiders. The group has been linked to high-profile incidents at Ticketmaster, AT&T, ADT, McGraw Hill, Medtronic, Rockstar Games, 7-Eleven, and Carnival, plus other education vendors like the K-12 student information system Infinite Campus.

The Canvas attack fits the pattern with one important twist. By defacing the login page during finals week, ShinyHunters did not just extort Instructure. They put pressure on every individual school and district that depends on the platform to manage grades, assignments, lecture videos, and student communication. The group went so far as to encourage affected institutions to open their own ransom negotiations rather than wait for Instructure to act, advising schools to consult cybersecurity experts and reach out to negotiate a settlement.

What Data Was Exposed in the Canvas Hack

Per Instructure’s public statements, the stolen data so far includes:

• Student and faculty names

• Email addresses

• Student ID numbers

• Messages exchanged between students and teachers inside Canvas

ShinyHunters claims the haul also contains several billion private messages, plus phone numbers. Instructure says it has not seen evidence of passwords, dates of birth, government identifiers, or financial information in the stolen data.

Even without Social Security numbers or banking information, this is sensitive material. Student ID numbers are often reused as identifiers across other school systems, email addresses are durable phishing targets, and private messages between students and instructors can include disability accommodations, mental health discussions, academic integrity concerns, and other content that students reasonably expected to stay private. For schools, the practical risk is not just identity theft. It is the downstream phishing, extortion, and reputational fallout that follows when student records leak onto the dark web.

What Is FERPA? A Quick Primer

The Family Educational Rights and Privacy Act, better known as FERPA, is the federal law that governs the privacy of student education records in the United States. Passed in 1974 and codified at 20 U.S.C. § 1232g, it applies to virtually every school that receives federal funding, from public K-12 districts to private universities that participate in federal financial aid programs.

At a high level, FERPA does three things. First, it gives parents (and students 18 and older, called eligible students) the right to inspect and request corrections to their education records. Second, it restricts when and how a school can disclose those records to third parties without consent. Third, it requires schools to take reasonable steps to keep education records confidential.

Education records is interpreted broadly. It includes grades, transcripts, disciplinary records, advising notes, and increasingly, the digital records housed in learning management systems like Canvas. Names paired with student IDs, course rosters, and instructor messages would generally fall inside the FERPA tent.

Does the Canvas Breach Trigger a FERPA Violation?

This is the question every general counsel’s office is asking right now, and the honest answer is that it depends, and it is more complicated than most headlines suggest.

Schools, Not Vendors, Are Directly Bound by FERPA

FERPA applies directly to schools, not to vendors. When a district or university hands student data to a service like Canvas, Instructure typically operates as a school official under the FERPA framework via a service agreement. That arrangement makes the school responsible for ensuring the vendor uses the data only for authorized purposes and follows the school’s instructions on disclosure. Instructure itself is not a covered entity under FERPA, but it is contractually bound to honor FERPA on behalf of its customers.

A Third-Party Breach Is Not the Same as a School Disclosure

A breach by a third party is not the same as a school choosing to release records. The U.S. Department of Education has historically treated unauthorized intrusions as potential FERPA issues only if the school failed to take reasonable steps to protect the data, including reasonable due diligence on the vendor. So if a school did its homework, signed a strong data processing addendum, and asked the right questions about Instructure’s controls, the school is on much firmer ground than one that did not.

FERPA Has Limited Teeth in Practice

The realistic enforcement picture is also worth understanding. FERPA does not give individuals a private right of action, which means students and parents cannot sue schools directly under the statute. The Department of Education’s Student Privacy Policy Office investigates complaints and can in theory threaten a school’s federal funding, but a FERPA fine in the traditional sense does not exist. In practice, no district has been stripped of funding under FERPA in the law’s 50-plus year history.

That does not mean schools and vendors are off the hook. State student privacy laws (California’s SOPIPA, New York’s Education Law Section 2-d, Colorado’s HB 16-1423, and many others) often have sharper teeth, including civil penalties and breach notification requirements. And Instructure itself faces potential exposure on negligence, breach of contract, and consumer protection grounds that are entirely separate from FERPA.

What Schools and Districts Should Do Now

For institutions that use Canvas, several practical steps are worth taking this week:

• Wait for direct notice from Instructure. The company has asked schools to ignore third-party affected institutions lists circulating on social media and to rely on direct communication.

• Document your vendor due diligence. Pull the Instructure contract, the data processing addendum, and any security questionnaires you completed. If the breach becomes a regulatory matter, that paper trail is your first line of defense.

• Map the data. Identify exactly which student records flowed into Canvas, including any sensitive special education or counseling messages that may have been exchanged on the platform.

• Review your state’s student privacy law. Breach notification deadlines, parent notification language, and required attorney general filings vary widely from state to state.

• Check your incident response plan. Confirm that your IR plan accounts for vendor-side breaches and that you have a communication template ready for students, parents, and faculty.

• Communicate calmly. A short, clear update that explains what is known, what is not yet known, and what protective steps the institution is taking goes a long way toward preserving trust.

The Bigger Picture: Edtech, FERPA, and the Vendor Supply Chain

The Canvas breach is significant not only because of its scale but because of what it reveals about the edtech supply chain. Schools have increasingly outsourced the storage of education records to a small number of vendors, and a single compromise at one of those vendors can ripple across thousands of institutions in a way no individual district could have prevented through its own controls.

FERPA was written in an era of paper files in locked cabinets. Its protections still matter, but the law is showing its age in a world where a single learning management system holds 275 million people’s records and one vishing call can put it all at risk. Expect the Canvas breach to add momentum to ongoing conversations about modernizing federal student privacy law, tightening vendor contract terms, and pushing for clearer breach notification standards across both K-12 and higher education.

In the meantime, schools should assume that an edtech vendor breach is now a routine operational risk, not a tail event. The institutions that fared best after the May 7 outage were the ones that had a contingency plan, a current vendor risk file, and a communication template ready to go. Everyone else spent finals week scrambling. If your school or district has not stress-tested its response to a Canvas-style incident, now is the time, before the next ShinyHunters-style group decides your vendor is its next proof of concept.

Need Help Navigating Vendor Risk and FERPA?

Compass IT Compliance helps colleges, universities, and K-12 districts assess third-party risk, mature their incident response programs, and align controls with FERPA, state student privacy laws, and broader cybersecurity frameworks. If the Canvas breach has surfaced questions about your own program, our team can help you separate signal from noise and build a defensible path forward.