Back to Resources

The Canvas Breach: Why Continuous PII Sanitisation Is Now a Board-Level Issue

When ShinyHunters walked out of Instructure with what they claim is data on 275 million Canvas users and nearly 9,000 schools — twice in two weeks — they didn't just take student records. They took a hard look at how every college and K-12 district stores, retains and forgets about personal data.

What actually happened

Canvas, the learning management system run by Instructure, is used by roughly half of US higher-education institutions and a significant share of K-12 districts globally. In late April 2026 attackers gained access through compromised "Free-For-Teacher" accounts — a self-serve tier of Canvas with weaker controls than the enterprise instances most schools assume they live behind. A second intrusion followed in early May, knocking the platform offline during finals week for millions of students.

The extortion crew ShinyHunters claimed responsibility, posting that they held data on up to 275 million users across 9,000 schools. Instructure has disputed the scale but confirmed unauthorized access and the exposure of user information and messaging content. By mid-May, the company appears to have reached an "agreement" with the attackers — widely interpreted as a ransom payment — and US lawmakers had begun demanding answers.

The real lesson isn't "Canvas got hacked"

Every SaaS platform will eventually be breached. The differentiator is what attackers find when they get in. Canvas exposed the same uncomfortable truth we see at almost every college, district and university we scan:

• Student records from learners who graduated five, ten, fifteen years ago are still live in the platform.
• Faculty inboxes contain scanned passports, SSNs, financial-aid PDFs and counselling notes that should never have been emailed in the first place.
• Donor and advancement data — wealth screenings, household giving capacity, gift histories — sit in shared drives with permissive access.
• "Free-For-Teacher" and unmanaged shadow tenants exist outside IT's inventory.

In other words: the breach surface is what you kept that you didn't need. Sanitising PII isn't a project. It's a process — one that has to run continuously against the systems where data actually lives.

Five trends every education leader should track in 2026

1. Identity-tier compromises are the new entry point

The Canvas intrusion didn't start at the enterprise login. It started at a low-tier, self-serve account type that shared underlying infrastructure with paid tenants. Expect regulators and cyber insurers to start asking "what's your inventory of every account class connected to your data?"

2. Continuous discovery is replacing annual audits

An audit tells you what was true on a Tuesday in March. Continuous PII discovery tells you what's true right now — including the OneDrive folder a faculty member just shared externally. The shift from point-in-time to real-time is the single biggest change in education GRC this year.

3. ROT is the cheapest risk reduction available

Redundant, Obsolete and Trivial (ROT) data typically makes up 40–60% of an institution's unstructured stores. Every record you defensibly delete is a record an attacker can't ransom. ROT remediation is the highest-ROI security control most schools have never deployed.

4. Donor and advancement data is the next target

Threat actors have figured out that advancement offices hold the highest-value PII on campus: high-net-worth individuals, household financials, planned giving documents. It is rarely classified, rarely encrypted at field level, and almost never subject to the same controls as student records.

5. "We use a vendor" is no longer a defence

FERPA, GLBA and the growing patchwork of US state privacy laws make it explicit: the school is the data custodian, not the LMS. The TechCrunch reporting on US lawmakers pressing Instructure should be read as a warning shot to every board that has outsourced its student data and assumed the risk went with it.

A 30-day continuous sanitisation playbook

1. Inventory every tenant. Include free, trial and shadow tenants of every SaaS platform — especially LMS, SIS and CRM.
2. Run a discovery scan against the top three repositories where staff actually store files (almost always SharePoint/OneDrive, Google Drive, and a network share).
3. Classify by sensitivity, not by folder. Modern tools fingerprint SSNs, DOBs, financial aid IDs, medical notes and donor wealth indicators automatically.
4. Quantify ROT, get legal sign-off on a retention rule, and defensibly delete.
5. Lock down external sharing on anything classified Restricted or Confidential.
6. Publish a one-page "do-not-paste" rule for staff using ChatGPT, Copilot, Gemini and any browser AI assistant.
7. Move discovery from project to subscription. Continuous scanning, with monthly executive reporting on net-new exposure.

The honest bottom line

Instructure will recover. Some of the 9,000 schools won't — at least not without painful notification costs, regulator scrutiny, and a hit to enrolment and donor confidence. The institutions that come out ahead aren't the ones with the biggest cyber budgets. They're the ones that decided, before the breach, that old PII is a liability, not an asset, and built a process to keep sanitising it.