Instructure Pays Ransom to Stop 3.65 TB Canvas Data Leak Affecting Thousands of Educational Institutions
What Happened — Instructure, the parent of the Canvas learning‑management system, confirmed that a decentralized extortion group accessed its network, exfiltrated approximately 3.65 TB of data, and threatened public release. The company reached a ransom agreement to prevent the leak.
Why It Matters for TPRM —
- Large‑scale student and staff personal data exposure can trigger regulatory fines and reputational damage for partner institutions.
- Third‑party risk assessments must account for the vendor’s ability to detect, contain, and remediate ransomware incidents.
- Ongoing reliance on a compromised SaaS platform may affect continuity of academic operations.
Who Is Affected — Higher‑education institutions, K‑12 school districts, and any organization that uses Canvas for course delivery.
Recommended Actions —
- Review Instructure’s incident‑response and data‑protection controls.
- Verify that contractual clauses address breach notification, data encryption at rest, and ransomware response.
- Conduct a supplemental risk assessment for any downstream integrations (e.g., SIS, analytics tools).
Technical Notes — The breach appears to have been driven by stolen credentials that enabled lateral movement and mass data exfiltration. No specific CVE was disclosed. Exfiltrated data includes student records, grades, email addresses, and potentially payment information. Source: The Hacker News