HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Ransomware Group Claims Theft of 275 Million Student Records from Instructure Canvas LMS

Instructure confirmed a breach of its cloud‑hosted Canvas LMS after the ShinyHunters ransomware gang announced the theft of roughly 275 million records belonging to students, teachers and staff across 8,809 educational institutions. The incident underscores the third‑party risk inherent in SaaS education platforms.

LiveThreat™ Intelligence · 📅 May 07, 2026· 📰 malwarebytes.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

Millions of Student Records Stolen in Instructure Canvas Ransomware Breach

What Happened – Instructure, the provider of the Canvas learning‑management system, confirmed a cyber‑incident that exposed its cloud‑hosted environment. The ShinyHunters ransomware group claims responsibility and alleges the theft of roughly 275 million records belonging to students, teachers and staff across 8,809 educational institutions.

Why It Matters for TPRM

  • A single SaaS vendor can become a conduit for massive PII exposure across thousands of downstream customers.
  • Ransomware‑linked data exfiltration raises the risk of credential stuffing, phishing, and downstream credential‑reuse attacks.
  • Education‑sector contracts often contain data‑privacy clauses; a breach of this scale can trigger regulatory penalties and contract breaches.

Who Is Affected – K‑12 school districts, colleges, universities and online education platforms that host Canvas; their students, faculty, staff and parents.

Recommended Actions

  • Verify the scope of your institution’s Canvas deployment and confirm whether any records were compromised.
  • Enforce immediate password resets and enable MFA for all student, parent and staff accounts.
  • Review contractual security clauses with Instructure and assess breach‑notification obligations.
  • Consider supplemental identity‑theft protection for minors whose data may have been exposed.

Technical Notes – The breach appears to be a ransomware‑driven data‑exfiltration attack; no specific CVE or vulnerability was disclosed. Stolen data includes names, email addresses, student IDs, and course information. Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →