Canvas / Instructure Cybersecurity Incident

Public-facing service disruptions affecting tools relying on API keys surfaced on **April 30, 2026** (Instructure's security team had detected the underlying intrusion on April 29; see the dwell-time fact below). Instructure then publicly disclosed the incident on **May 1, 2026** (~4:30 PM Mountain Time / 6:46 PM ET) via a customer letter from CISO Steve Proud describing 'a cybersecurity incident perpetrated by a criminal threat actor.'

Initial impact: Canvas Data 2 and Canvas Beta were taken offline for maintenance; tools relying on API keys experienced disruption. Canvas itself remained operational at most tenants until May 7.

**ShinyHunters has claimed responsibility.** The group listed Instructure on its leak site on May 3, 2026 and is the same actor behind a prior September 2025 social-engineering breach of Instructure's Salesforce instance, plus contemporaneous breaches at Vimeo, Salesforce, AT&T, Google, McGraw-Hill, and others.

**Compromised data reportedly includes** names, email addresses, student ID numbers, and Canvas in-platform messages between users. Instructure has stated no evidence that passwords, dates of birth, government identifiers, or financial information were involved, though investigation remains ongoing.

**Threat-actor scale claims (unverified by Instructure):** ShinyHunters claims ~3.65 TB / ~275 million students-teachers-staff records / ~9,000 schools. BleepingComputer reported the actor's specific count as 8,809 schools.

Instructure's containment / response actions: revoking privileged credentials and access tokens, deploying security patches, rotating keys 'even though there is no evidence they were misused', increased monitoring, reissuing application keys with timestamp-based naming, and requiring customer re-authorization of integrations.

**On May 7, 2026 ~3:30 PM (afternoon CT)**, ShinyHunters defaced Canvas customer login portals via HTML injection, visible for ~30 minutes before takedown. Defacement carried text: 'ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches."' Demanded schools 'consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement.' Set deadline: 'You have till the end of the day by 12 May 2026 before everything is leaked.'

**Three institutional response postures have emerged**: (1) Canvas remained operational locally, UVA, Cornell, UT Austin, CU Boulder; (2) Canvas taken offline by Instructure in response to defacement, Penn State, Baylor, UMD, OSU, OU, UW–Madison, U Missouri, U Iowa, FIU, VCU, Princeton, JMU, Penn, Harvard, ASU, UMass; (3) Some have committed to academic accommodations, JMU delayed exams to May 13, Liberty promised class extensions, Princeton's Dean Gordin asked instructors to download Canvas gradebooks as precaution.

Two **class-action investigations** have been announced: Chimicles Schwartz Kriner & Donaldson-Smith LLP and Shamis & Gentile P.A. ClassAction.org is soliciting plaintiffs.

**State-level confirmation:** The North Carolina Department of Public Instruction has confirmed receiving a breach notification from Instructure, implicating K-12 districts as well as higher ed.

**No CISA advisory, no FBI alert, no Department of Education FERPA notice, no CVE** has been published as of this update. Federal involvement is limited to Instructure's own statement that it 'notified law enforcement.' MS-ISAC and REN-ISAC have not posted public advisories.

**Instructure is privately held.** KKR and Dragoneer Investment Group completed a $4.8 billion all-cash take-private acquisition at $23.60/share on November 13, 2024. INST common stock ceased trading on NYSE that day, and the company filed Form 15-12G to deregister securities. **Critical implication:** the SEC's 2023 Item 1.05 cyber-disclosure rule (4-business-day clock) does NOT apply, no INST share-price reaction is possible, and no Rule 10b-5 securities class action is viable. Financial-exposure analysis lives in the leveraged-loan secondary market, KKR Americas Fund XIII LP letters, and the consumer/regulatory tracks, not on EDGAR.

**LBO debt structure provides the post-private 'stock-price' equivalent for credit signal.** Pre-breach baseline: $1.685 B first-lien term loan (rated B-/B2), $365 M second-lien term loan (CCC/Caa2), $225 M revolver due 2029 with a springing first-lien leverage covenant. Corporate family rating B-/B3 stable. Watch secondary-market loan quotes and any S&P / Moody's CreditWatch Negative placement (plausible within 2-4 weeks given two confirmed breaches in <8 months).

**Federal-government vacuum at day 7+.** Through 168 hours since Instructure's May 1 disclosure, U.S. federal agencies have issued **zero** Canvas-specific products: no CISA advisory, no FBI Flash / IC3 alert, no PTAC FERPA bulletin, no FSA Dear Colleague Letter, no FTC announcement under the updated April 22 2026 COPPA Rule, no White House / ONCD statement, no congressional letter or hearing from any of the seven committees with jurisdiction (Senate HELP, HSGAC, Intel; House Ed & Workforce, Homeland Security, Energy & Commerce). The only federal 'action' is the pre-existing Title IV breach-intake clock that started May 1, a passive obligation on institutions. Most surprising silence: Senators Markey (D-MA) and Cassidy (R-LA), bipartisan COPPA 2.0 sponsors who routinely letter Meta/TikTok within 24-48 hours of children's-data incidents.

**Higher-ed sector consortium silence.** As of May 8, 2026, one full week into the incident, there is no public advisory from REN-ISAC (the higher-ed analog to MS-ISAC), EDUCAUSE (no Review article, no community blog), NACUA (no NACUANOTES on FERPA-notification timing), AACRAO, NACUBO, AAU, APLU, AGB, SHEEO, or ACE. Member-only listserv traffic almost certainly exists, but for non-member CIOs / Emergency Managers / general counsel, there is nothing canonical to cite. K12 SIX is the only sector ISAC voice on the public record, quoted via its weekly newsletter saying 'small and medium businesses, including the majority of U.S. K-12 education software businesses, are frequent cybersecurity targets.'

**Defacement message verbatim** (May 7 mass-defacement HTML overlay on ~330 Canvas tenant login portals, also visible in the Canvas mobile app, observed by TechCrunch on three schools): "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'." The message directs schools to 'contact us privately at TOX to negotiate a settlement' before 'May 12 2026 before everything is leaked', superseding the earlier May 7-8 deadline.

**International regulator silence.** No public statement as of May 8 from the UK ICO (UK GDPR Article 33 ICO-notification clock for U Manchester expired May 7), the Australian OAIC (Privacy Act 1988 NDB scheme; 2022 amendments raised maximum penalties to AU$50 M / 30% domestic turnover), the UK NCSC, Canadian OPC, or Australian Signals Directorate / ACSC. Eleven international universities have publicly confirmed impact (USYD, UniMelb, UTS, Auckland, AUT, VUW, Manchester, UBC, SFU, plus UofT confirmed via student paper after declining comment).

**Anchor academic-sector quote**, In the absence of EDUCAUSE / REN-ISAC public commentary, Anton Dahbura, Executive Director of the Johns Hopkins University Information Security Institute, has emerged as the most-quoted higher-ed cybersecurity expert: 'The Canvas breach is a reminder that no platform is immune... Educational platforms are particularly rich targets given the concentration of personal, financial and international student data. Even organizations that do the right things can still be exposed through trusted vendors.'

**Pre-disclosure timeline anomaly.** Fulton County Schools (GA), the largest district in Georgia (~90K students), posted its initial Canvas-incident security update on **April 27, 2026**, five days BEFORE Instructure's May 1 public disclosure. This implies Instructure quietly notified some K-12 customers under NDA roughly five days early. Combined with ShinyHunters' claimed **April 25** intrusion-onset date (per BleepingComputer reporting), the detection-to-disclosure-to-public timeline is: April 25 intrusion → April 27 confidential customer-notification window opens → April 30 status-page disruption to API tools → May 1 public disclosure → May 2 'contained' claim → May 7 mass-defacement falsifying the contained claim → May 12 leak deadline.

**Sept 2025 ↔ May 2026 lineage, definitive answer.** Same threat actor (ShinyHunters / Bling Libra / Mandiant UNC6040, now operating inside the August 2025 'Scattered LAPSUS$ Hunters' / 'Trinity of Chaos' alliance with Scattered Spider and LAPSUS$). Two distinct intrusions on different systems: Sept 2025 = vishing-driven social engineering of Instructure's Salesforce CRM (business contact info only; per Instructure no Canvas product data accessed). May 2026 = fresh intrusion into Canvas cloud production environment (names, emails, student IDs, Canvas Inbox messages, different data classes than Sept 2025 footprint). Multiple analysts have publicly questioned whether post-September remediation was sufficient given the same actor returned within 8 months.

**Market-share scale of systemic risk.** Per Spring 2025 Edutechnica data, Canvas controls **39% of N. American higher-ed institutions and ~50% of student enrollment**, more than D2L Brightspace (20%), Anthology Blackboard (12%), and Moodle (9%) combined. Every U.S. News 2026 top-10 national university (Princeton, MIT, Harvard, Stanford, Yale, etc.) runs on Canvas. K-12 footprint is similarly concentrated: ~8,000 institutions / ~200 million learners in 100+ countries per Instructure corporate site. The systemic-risk dimension is therefore even greater than first-look numbers (~28-30%) suggested in early coverage.

**MFA partial-mitigation pattern (highest-signal forensic finding).** Charlottesville City Schools provided the most specific data-scope description in the entire dataset: 'Only parent accounts on Canvas, which contain very limited information, were affected. Student and staff accounts on Canvas do not appear to have been breached because they are protected by multifactor authorization.' This confirms multi-factor authentication worked as a partial mitigation: parent accounts (no MFA enforced) breached, staff/student accounts (MFA-protected) not. Implication for OIT readers: enforcing MFA on parent / observer / less-privileged Canvas roles is a high-yield retroactive control even after the May 12 leak deadline passes.

**Comparable-incident lessons-learned: paying ransom does not stop downstream extortion.** PowerSchool's December 2024 SIS breach is the most directly comparable incident: top-tier ed-tech vendor, ~62 M students + 9.5 M educators affected. PowerSchool **paid the ransom** and received a video purportedly showing data deletion, yet by May 2025 attackers were re-extorting individual school districts directly. Perpetrator Matthew D. Lane (19, Mass. college student) was caught, pled guilty June 2025, sentenced to 4 years federal prison. **Implication:** any Instructure ransom payment may not actually protect institutional data; OIT readers should plan for direct-extortion contact attempts even after the May 12 deadline, regardless of vendor payment.

**Most-likely-to-act state AG: NC Jeff Jackson.** Jackson already has an open Civil Investigative Demand against PowerSchool (issued June 2025, still pending) over its 2024 breach affecting nearly 4 million NC students/teachers/parents. With Wake County Schools and Duke both confirmed-affected by Instructure, Jackson is procedurally positioned to expand the existing edtech-vendor probe to Instructure under the same legal theory. Jackson on PowerSchool: 'I'm sending a Civil Investigative Demand to the company because I don't have answers to basic questions about what happened.' If a state AG breaks the silence first, NC is the most probable.

**Texas AG Paxton precedent, the operative state-AG playbook.** In September 2025, Paxton sued PowerSchool over its 2024 breach, calling it a "catastrophic data breach that compromised the personal information of over 880,000 Texas school-aged children and teachers." The Paxton-PowerSchool litigation is the single most directly applicable precedent for state-AG action against an LMS/SIS vendor. As of May 8, 2026 Paxton has not announced an Instructure action, but Austin ISD's BLEND, HISD, Katy, Conroe, Pearland, Lamar are all confirmed-affected, and the legal theory is portable.

**Utah AG home-state silence, most material federal-level gap.** Instructure is HQ'd in Salt Lake City. Home-state AGs almost always either issue a 'we are monitoring' confidence statement defending the local employer or file first to claim jurisdictional priority. Neither has occurred from Utah AG Derek Brown (in office since January 2025) as of May 8, 2026. The home-state silence is the single most material gap-fill finding in the senator/AG watch.

**Senate Commerce Chair Cruz silence, only person who can force testimony.** As Chairman of Senate Commerce in the 119th Congress, Senator Ted Cruz (R-TX) is the sole convening authority who can put Instructure CEO Steve Daly and CISO Steve Proud under oath. Cruz has been actively scheduling executive sessions through 2026 on AI / children's safety topics (S.4407 introduced April 28 on AI chatbot parental consent), but no Canvas hearing announcement by May 8. Most likely to break federal silence: Sen. Richard Blumenthal (D-CT, KOSA co-author, frequent breach-letter author), Sen. Ed Markey (D-MA, COPPA 2.0 sponsor, MA institutions affected), Sen. Elizabeth Warren (D-MA), or a bipartisan Markey-Cassidy-Blumenthal-Blackburn-Hawley letter timed to the May 12 leak deadline.

**Pre-existing controls that reduced exposure (positive signal).** Pearland ISD confirmed that two specific Canvas-tenant configurations meaningfully reduced their breach impact: (1) Canvas messaging disabled district-wide (so no in-platform message exfiltration possible) and (2) student email accounts restricted to receiving only `.edu` or `.mil` domain mail (meaningfully blunting downstream phishing pivots). These are zero-cost configuration choices that any Canvas-tenant OIT can deploy retroactively. Combined with Charlottesville's MFA-on-parent-accounts finding, the pattern is clear: **default Canvas posture is materially weaker than locked-down configurations**, and locked-down configurations measurably reduced this incident's exposure.

**First international regulator confirmed receiving notifications: Dutch DPA.** All seven affected Dutch research universities (UvA, VU Amsterdam, Erasmus Rotterdam, Tilburg, TU Eindhoven, Maastricht, U Twente) filed preliminary GDPR Article 33 data-breach notifications with the Autoriteit Persoonsgegevens in the days following May 1, 2026 disclosure. This breaks the public-silence pattern at ICO, OAIC, NCSC, OPC. Watch for an AP public advisory within 2-4 weeks under GDPR's response cadence. The Dutch sector consortium Universiteiten van Nederland (UNL) is the **first** higher-ed sector body globally to issue a coordinated public statement; SURF (Dutch NREN) is named as coordinator and cites its 2025 privacy audit of Instructure regarding tenant separation. NL Times reports 44 Dutch educational institutions impacted in total when including hogescholen.

**Best single framing of the incident, Doug Thompson, Tanium.** Quoted in Inside Higher Ed: 'This breach follows a clear pattern we've been watching for the last 18 months. Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once. It's the math of a bank robber who just figured out where the armored truck stops. Why hold up a hundred branches when the truck visits all of them? The real risk now is downstream. With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.'

**Counter-signal: gravitational pull TOWARD Canvas was still strong as the breach landed.** Two procurement-side data points one-to-three weeks pre-breach cut against any 'Canvas in death spiral' narrative: (1) the UNC System Board of Governors voted to standardize all 17 UNC institutions on Canvas as the single system-wide LMS (NC A&T implementing Fall 2026); (2) Instructure announced an exclusive partnership with K16 Solutions on April 29, 2026, one day before the breach, to accelerate migrations TO Canvas, with Sinclair Community College locked in for D2L→Canvas Summer 2026 go-live. Analyst consensus across Dark Reading, Higher Ed Intel, and Phil Hill (On EdTech): no immediate customer loss expected; PowerSchool→Infinite Campus comp is exceptional, not predictive. Watch the WCPSS Board of Education June 2026 agenda for first credible non-renewal candidate.

**Cyber-policy thought-leader silence parallels consortium silence.** Brian Krebs (Krebs On Security) has not blogged the incident as of May 8, 2026. Bruce Schneier (Schneier on Security) has not blogged it. Alex Stamos, Jen Easterly, Chris Krebs (former CISA Director), Anne Neuberger, Dmitri Alperovitch, Rob Joyce, John Hultquist, Kevin Mandia, Lisa Monaco, no public commentary in indexed coverage May 1-8. Most surprising silence: **Brett Callow** (Emsisoft / Coveware), whose career has been built on ransomware/extortion-breach commentary, has not been quoted in any major outlet. The entire **FERPA / privacy-law academic bench** (Solove, Hartzog, Reidenberg, Polonetsky) is also silent, despite the incident potentially being 'the largest FERPA violation in history' (a phrase repeated anonymously in coverage).

**Penn-specific May 8 deadline appears to have passed without public dump.** ShinyHunters had specifically warned the University of Pennsylvania that its data, covering ~306,000 Penn users, would be leaked May 8, 2026 absent contact. As of late afternoon May 8 ET, no Penn-specific data dump has surfaced publicly; the deadline has effectively been folded into the omnibus May 12, 2026 ultimatum. Reported record counts have crept upward in May 7-8 coverage: BleepingComputer cites 280 million records (vs. earlier 275 million); some outlets reference 231 million; institution count drifts between 8,800 and 9,000+. ShinyHunters numbers may be inflating intentionally as the deadline approaches.

**No federal-court class-action complaint filed yet, anti-misclassification note.** As of May 8, 2026 evening ET, no federal-court class-action complaint has been filed specifically over the May 2026 Instructure breach. Multiple plaintiff firms (Chimicles Schwartz Kriner & Donaldson-Smith, Stueve Siegel Hanson, ClassAction.org partners) are in pre-filing investigation stage. **Watch for first complaint Mon May 11 or Tue May 12** in the Northern District of California, District of Delaware, or District of Utah. Note: the 'Hernandez-Silva v. Instructure' case that surfaces in some search results is a SEPARATE March 2025 student-data-monetization case, dismissed August 2025, not a breach lawsuit. Hub maintainers should not cite Hernandez-Silva as a May 2026 breach lawsuit.

**NEW attack-vector attribution: Free-For-Teacher accounts.** Instructure spokesperson statement to TIME magazine overnight May 7-8: 'Out of an abundance of caution, [Instructure] temporarily took Canvas offline to contain access and further investigate.' The company said the threat actor 'exploited an issue related to Free-For-Teacher accounts' (Canvas's free-tier instance for individual teachers, separate from paid institutional tenants). Those accounts have been shut down to restore access to paid Canvas tenants, the first substantive corporate explanation of the May 7 access vector. This is new attribution detail not present in earlier May 1-3 disclosures and suggests the May 7 'second breach' may have been a different vector than the original April 30-May 1 incident.

**ShinyHunters appears to have DELISTED Instructure from active extortion blog.** Per Krebs On Security reporting May 8, 'sources close to the investigation report that ShinyHunters' data leak blog no longer lists Instructure among its current extortion victims, suggesting active negotiation may be underway.' The 3.65 TB 'proof' sample posted on May 3 remains the only verified Canvas-derived dataset publicly in circulation. The Penn-specific May 8 deadline appears to have passed without a Penn-specific dump. **Critical interpretation:** delisting + restored Canvas + paid-tenant containment via Free-For-Teacher shutdown is consistent with a backchannel-payment scenario, but Instructure has made no payment statement.

**CEO Steve Daly continues silence as of May 8.** All Instructure corporate communications about this breach have come from CISO Steve Proud (May 1-2) and unnamed spokespeople (May 7-8 statements to TIME). CEO Steve Daly has issued NO public statement of record, no blog post, no press release, no customer letter signed by his office, no investor letter. The contrast with PowerSchool CEO Hardeep Gulati (who was publicly visible during the December 2024 breach) is notable. CEO silence in a breach of this scale is itself a tracked data point for institutional readers.

**Plaintiff bar field expands to four firms; Wohl & Fruchter publicly soliciting stockholders.** As of May 8, four U.S. plaintiff firms have publicly opened pre-filing investigations of the Instructure breach: Chimicles Schwartz Kriner & Donaldson-Smith, Stueve Siegel Hanson, Zimmerman Reed (consumer.zlk.com), and Bryson Harris Suciu & DeMay PLLC. Separately, Wohl & Fruchter LLP is hosting a public case page soliciting Instructure stockholders for the existing pre-breach Delaware Chancery Section 220 action (C.A. No. 2024-1122) attacking the $4.8 B KKR deal process, that case was filed October 31, 2024 and is the natural vehicle if breach-related fiduciary claims emerge against the pre-close Instructure board. No federal-court complaints have been filed as of May 8 evening; first filings expected May 11-12.

**FBI 'declines to comment', first explicit on-record federal posture.** When ABC11 Raleigh-Durham reached out to the FBI for comment on the Canvas breach, the FBI declined to comment. This is the first on-record federal-agency response posture: not 'investigating,' not 'aware,' but explicit refusal to comment. Combined with CISA, FTC, PTAC, FSA, ED, ONCD, and all 13+ congressional committee silences, the federal vacuum has now persisted 168+ hours since Instructure's May 1 disclosure.

**Mandiant CTO Charles Carmakal on-record attribution.** TechCrunch quoted Charles Carmakal (CTO, Google-owned Mandiant Consulting) on May 7: 'the attack on Canvas customers was just one of several major cybercrime campaigns being launched by ShinyHunters at the moment.' Mandiant's broader ShinyHunters tradecraft profile: vishing impersonating IT helpdesk, fake company-branded SSO/login pages for credential harvest, OAuth Device Flow abuse via local Salesforce Data Loader instances, generation of 8-character device codes pushed to victims via vishing, slow silent exfiltration via legitimate API surface. **Note:** Mandiant has NOT been confirmed as Instructure's engaged forensics firm of record; Instructure has only said 'outside forensics experts.'

**Joint CEO Daly + CISO Proud customer communication.** Per 6ABC Philadelphia reporting (relayed Instructure customer letter, May 5): 'We know this incident affects the trust you place in us, and we take that seriously. We are committed to sharing timely, accurate updates as our investigation progresses.' This is the first sourced direct quote attributing language to both CEO Steve Daly and CISO Steve Proud, though Daly has still issued no standalone public statement under his own name, no blog post, no investor letter.

**ShinyHunters defacement payload, full ransom note text.** The HTML defacement payload injected into Canvas login pages on May 7, 2026 (~3:30 PM ET) contained verbatim: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'. If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked." The payload was visible to all users across affected schools simultaneously (suggesting a centrally-injected resource rather than per-tenant config). By ~4:20 PM ET on May 7, the defacement was replaced by 'Canvas is currently undergoing scheduled maintenance' messaging, Instructure's choice of the 'scheduled maintenance' euphemism for an active extortion incident drew sharp criticism (Cloudskope CEO Dipan Mann: '275 Million Users Exposed. 8,809 Schools Down. Instructure Calls It Scheduled Maintenance.').

**MAJOR ATTACK-VECTOR CORRECTION: Salesforce Experience Cloud guest-user-profile misconfiguration, NOT Canvas Login Customization XSS.** Multiple converging sources (Hackread, BleepingComputer, SOCRadar, Rescana) describe the initial-access vector as Salesforce Experience Cloud guest-user-profile misconfiguration, with lateral pivot into Canvas tenancy via OAuth-issued tokens for connected apps. This is the same campaign vector ShinyHunters used against ~300-400 organizations since September 2025 (Salesloft Drift). The September 2025 prior incident at Instructure's Salesforce instance was the targeting-database foothold; April 25-30 2026 saw exploitation of Canvas Data 2 / Beta surface, OAuth Developer Key abuse, and automated paginated API extraction. **No CVE has been assigned** because the failure is configuration-class (likely CWE-732 / CWE-862 / CWE-1390), NOT software-defect class, meaning traditional CVE-driven patch management would not have prevented this.

**MITRE ATT&CK mapping (multi-source consensus).** Sources converge on these techniques for the ShinyHunters Instructure operation: T1671 (abuse of cloud application integrations / connected apps), T1567 (Exfiltration Over Web Service), T1020 (Automated Exfiltration), within the broader ShinyHunters campaign cluster MITRE C0059. For the antecedent vishing tradecraft: T1566.004 (Spearphishing Voice / Vishing), T1078.004 (Valid Accounts: Cloud Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token), T1098.005 (create malicious connected/OAuth app), T1213.003 (data from cloud SaaS). **OIT-reader implication:** detection guidance is necessarily behavioral, anomalous Canvas Developer Key creation, anomalous OAuth token issuance preceding April 30 2026, unusual Canvas Data 2 / Beta API export volumes, off-hours API access from non-customer-IP-ranges. No CISA, MS-ISAC, REN-ISAC, or commercial CTI vendor has published file hashes, IPs, or domain IoCs as of May 8.

**California state budget counter-signal, UC + CSU + CCC tri-system standardizing on Canvas mid-breach.** Per Phil Hill / On EdTech: California's three statewide higher-ed systems are using state budget allocations to STANDARDIZE on Canvas as the common LMS, even as the breach unfolds. Includes a $2M CSU line item to align with the CCC system's existing Canvas footprint. Combined with prior signals (UNC System 17 institutions, Sinclair CC D2L→Canvas Summer 2026, Instructure-K16 Solutions exclusive partnership April 29), the **counter-signal weight is now decisive**: three of the largest public systems in the US are EXPANDING Canvas adoption mid-breach. Procurement consensus: switching cost > breach risk.

**Nordic cluster + multi-DPA notification chain.** Beyond the 7 Dutch research universities + AP, the breach has triggered breach-notification activity across Nordic regulators: University of Copenhagen (Canvas branded as 'Absalon') notified Datatilsynet (Danish DPA) on May 5; Aalto EE Finland notified Tietosuojavaltuutettu (Finnish Data Protection Ombudsman); five Swedish universities (KTH, KI, Lund, Uppsala, SLU) all notified Integritetsskyddsmyndigheten (IMY / Swedish DPA), with Sunet (Swedish NREN) coordinating. Despite seven+ DPAs across NL/SE/DK/FI receiving notifications, none have published a public advisory as of May 8, the regulator-publication gap is consistent globally.

**FEDERAL SILENCE PARTIALLY BROKEN, FBI Facebook advisory May 8.** Late afternoon / evening May 8, the FBI published a public Facebook advisory (referenced by Malwarebytes and Nextgov coverage) telling potential Canvas users: 'do not send payment'; 'receiving a message does not necessarily mean your personal information has been compromised'; 'threat actors often exaggerate or fabricate their access.' This is the **first US federal public communication on the breach**, partially breaking the day-8 federal-vacuum framing. CISA remains engaged but publicly silent. Notable interpretive frame: the FBI's 'threat actors often exaggerate' language signals federal skepticism toward ShinyHunters' 275M-record claim and implicitly discourages individual-institution ransom payment.

**Forensic partner is CrowdStrike, not Mandiant.** Per Instructure's incident-update FAQ, CrowdStrike is Instructure's engaged forensic-IR partner. Mandiant's contribution has been **public commentary only**, CTO Charles Carmakal's TechCrunch quote and Krebs On Security attribution. CrowdStrike's May 8 readout (cited verbatim by Instructure): 'there is no evidence that the threat actor had system-level access, installed malware nor obtained login credentials, nor that any additional data was extracted during the renewed activity on May 7.' This corrects earlier hub speculation that Mandiant might be the forensic firm of record.

**Free-For-Teacher accounts confirmed as initial-access vector.** Per Bitdefender Technical Advisory and Rescana / SOCRadar convergence: ShinyHunters first gained access to Canvas production infrastructure by exploiting the Free-For-Teacher (FFT) account program, which allowed account creation without institutional verification but ran on the same backend as paid institutional tenants. Initial intrusion: April 25, 2026. Detection: April 29, 2026 (4-day dwell). This refines the prior Salesforce Experience Cloud guest-user-profile attribution: BOTH framings are correct, the Salesforce-side foothold harvested in September 2025 enabled targeting, and the FFT-account abuse was the May 2026 production-side entry point. Data classes exposed: usernames, .edu email addresses, course names, enrollment information, Canvas inbox messages.

**RESOLUTION, Instructure / ShinyHunters settlement May 11-12.** BleepingComputer reports Instructure announced one day before the May 12 leak deadline that it had reached an agreement with ShinyHunters and 'received digital confirmation of data destruction (shred logs).' Vendor statement: 'no Instructure customers will be extorted as a result of this incident, publicly or otherwise.' Ransom dollar amount **undisclosed**. ShinyHunters delisted Instructure from the dark-web leak site. No individual institution has been confirmed to have paid separately. **Interpretation caveat:** shred-log 'destruction' confirmation is unverifiable by external parties; the PowerSchool precedent (Dec 2024, ransom paid but downstream re-extortion of districts still occurred in May 2025) recommends OIT readers continue to plan for direct-extortion contact attempts despite the announced settlement.

**CEO Steve Daly breaks silence with May 11 apology blog post.** Per IT Pro / KUTV / Idaho Ed News / Reuters, Daly published a blog-post apology on May 11, opening: 'I'll start where I should: with an apology. Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that. ... We focused on fact-finding and went quiet when you needed consistent updates. ... Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication.' This is the first named-CEO statement of record, through May 8 evening, all corporate communication had been from CISO Steve Proud + unnamed spokespeople.

**Federal silence officially broken, Garbarino House Homeland Security letter, May 11.** Rep. Andrew Garbarino (R-NY), Chairman of House Homeland Security, sent a formal letter to Instructure CEO Steve Daly on May 11, 2026 demanding a committee briefing by May 21. This is the first Congressional action of record; comes 10 days post-disclosure. Garbarino joins the FBI Facebook advisory + OAIC Australia statement as the only confirmed government-side public actions through the May 11-12 window. Senate HELP / Senate Commerce / Senate HSGAC / Senate Intel / House E&C / House Ed & Workforce / Markey-Cassidy COPPA 2.0 / all state AGs (including UT home-state, CA Bonta, NY James, TX Paxton, NC Jackson) remain silent.

**Australia's OAIC issued the first international regulator public statement.** OAIC media centre advised affected users to lodge complaints directly with Instructure first, then escalate to OAIC after 30 days. The **Norwegian Datatilsynet** has since joined OAIC as the second international regulator with a public statement, citing 'serious' impact across 32 Norwegian institutions / ~250,000 students per Sikt coordination. UK ICO, Dutch AP, Swedish IMY, Danish Datatilsynet, Finnish Ombudsman, Canadian OPC all remain publicly silent despite having received GDPR / equivalent notifications.

**ED FSA issues first formal federal advisory May 12, but from financial-aid arm, not FERPA arm.** Federal Student Aid published a 'Technology Security Alert – Ongoing Cybersecurity Incident Involving the Canvas Learning Management System' on the May 12 ransom deadline day. Directed at IHEs participating in Title IV programs, it instructs institutions to review system, authentication, and Canvas integration logs for unusual access patterns between April 25 and May 8, 2026. **Notably from FSA cybersecurity (financial-aid integrity arm), NOT from the Student Privacy Policy Office or PTAC**, which per K-12 Dive reporting has 'requested information from Instructure to ensure compliance with FERPA' but has not issued a formal public advisory.

**Strongest privacy-civil-society voice: Elizabeth Laird, CDT.** Per K-12 Dive May 8 reporting, Center for Democracy & Technology's Director of Equity in Civic Technology Elizabeth Laird issued a public statement: 'Not only did this incident interfere with essential learning activities, it has exposed sensitive data about nearly 300 million users, including messages that could include incredibly personal information. This is an important wakeup call that schools and the companies that work with them have legal and ethical responsibilities to safeguard students and teachers online in the same ways that they are protected in the classroom.' CDT is the **only DC-area privacy think-tank** with a public statement of record. FERPA academic bench (Solove / Hartzog / Polonetsky / Reidenberg's Fordham CLIP / Grimmelmann / Goldman / Kaminski / Lessig) and EPIC / EFF / Common Sense Media / Parent Coalition for Student Privacy all remain silent through May 12.

**FIRST CLASS ACTION COMPLAINT FILED, Peterman v. Instructure (D. Utah).** Per Bloomberg Law, Jabon Peterman filed the first federal-court class-action complaint against Instructure on May 5, 2026 in the U.S. District Court for the District of Utah (No. 2:26-cv-00374). Plaintiff firms: Milberg PLLC, KO Lawyers, Carella Byrne Cecchi Brody Agnello PC, Marshall Olson & Hull PC (Utah counsel). A parallel **Hinds v. KKR & Co. Inc.** was filed May 8 in S.D.N.Y. by Yagman PLLC, naming KKR (Instructure's owner since the 2024 $4.8B take-private) on a negligence theory. **At least 7 federal suits filed** as of post-settlement reporting (6 in D. Utah + 1 in S.D.N.Y. naming KKR). No JPML/MDL consolidation order yet. Per State of Surveillance: 'The settlement with ShinyHunters does not resolve Instructure's civil liability to affected users.'

**Potential statutory violation: Instructure may not have notified state AGs.** Per ClassAction.org and Inside Higher Ed: 'Instructure has not yet reported either data breach to state attorney general offices, which may have violated federal or state laws.' Most state breach-notification statutes require notification to the state AG within 30-60 days of discovery (some sooner for high-volume breaches). If accurate, this creates additional regulatory exposure beyond civil class-action liability, likely AG-action trigger within 30 days. NC AG Jeff Jackson's standing PowerSchool CID provides the cleanest precedent template.

**Three universities formally extended / canceled academic deadlines** (in addition to JMU's May 13 extension already documented): Emory University extended grade submission deadlines by 7 days and notably acknowledged 'Emory can't independently verify Instructure's findings'; East Carolina University moved the grade-submission deadline to 8 AM Wednesday May 13 (Provost Christopher Buddo named); Idaho State University outright canceled all afternoon finals on May 7, the most aggressive academic accommodation in the dataset. Pairs with Birmingham UK (May 13 deadline) and SMU TX (postponed Fri exams to Sun May 10).

**Instructure denial of May 7 data theft contradicted by 330-portal defacement.** Instructure's incident-update FAQ states 'Instructure has not found evidence that data was taken during the May 7 activity.' However, ShinyHunters defaced login portals at ~330 institutions during this second wave, posting ransom messages directly on student/teacher screens. The characterization gap (data theft vs. defacement) remains a point of contention.