Instructure paused delivery of breach-related data tied to Canvas after it determined a third-party delivery platform may face a security threat. The company said it was sending institutions a “secure, permissioned ShareFile link,” but halted uploads “out of an abundance of caution” while it assesses whether the platform is safe or identifies alternatives. The pause follows Instructure’s earlier incident response after ShinyHunters claimed access to personal identifying information for 275 million people across 9,000 institutions. Instructure said it has found “no evidence” that passwords or government identifiers were involved. For universities, the delay extends a critical compliance timeline for incident review, notification processes, and internal risk assessments—especially when institutions must coordinate with designated security contacts. The episode raises the stakes for higher education cybersecurity vendor governance, because even when the platform is secure, third-party data-transfer mechanisms can become the weak link.
Get the Daily Brief