Instructure paused Canvas data delivery for a first wave of breach-related files after identifying a potential security threat involving a third-party delivery platform. The company said it found no evidence of password, date of birth, government identifier, or financial data exposure in the earlier breach description but moved to halt transmission pending reassurances about the third-party system’s safety. The decision followed an earlier ShinyHunters extortion incident in which the group claimed access to personal data for 275 million people across about 9,000 institutions. Instructure CEO Steve Daly said the company conducted a forensic review and would provide information “as quickly as we responsibly could,” then later updated customers that delivery was paused “out of an abundance of caution.” Canvas customers—including higher education institutions—were preparing for data delivery via a permissioned ShareFile link to designated security contacts. Instructure emphasized that institutional data “remains secure,” but would proceed only when confident in the third-party platform. The episode matters for university IT and compliance teams because it changes breach response timelines and adds a second layer of vendor risk management beyond the initial LMS incident.
Get the Daily Brief