2LRN4 security awareness platform
← Back to knowledge base

The Canvas/Instructure breach: supplier risk and cloud dependency in education

In May 2026 an attack on the Canvas learning platform (Instructure) hit hundreds of millions of users worldwide, including seven Dutch universities. The lesson: one central platform means one central risk, and your preparation starts with a CIA-triad risk analysis.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

In May 2026 the globally used Canvas learning platform, from supplier Instructure, was hit by a large-scale attack (attributed to the ShinyHunters group). Worldwide, the data of potentially hundreds of millions of students, teachers and staff was at stake, spread across thousands of educational institutions. In the Netherlands, seven universities confirmed they were affected: the University of Amsterdam, VU Amsterdam, Erasmus University Rotterdam, Tilburg University, TU Eindhoven, Maastricht University and the University of Twente. The incident shows once again that your biggest dependency is sometimes a platform you do not run yourself.

What happened

The attack took place in May 2026 and hit Instructure, the company behind Canvas. This is the learning platform many higher-education institutions use for courses, grades and communication with students. Because so many institutions run on the same platform, a single intrusion had an immediate international reach.

For the Dutch universities this meant that data flowing through Canvas may have ended up in the attackers' hands. Exactly which data varies per institution, but a learning platform quickly involves names, email addresses, study and course information and internal communication.

Under the GDPR this is a notifiable breach: the affected institutions had to report it to the supervisory authority and inform those concerned. Because the processor (Instructure) was the source of the leak, this also hinges on the agreements in the data processing agreement and the question of who is responsible for what.

Concentration risk: one platform, one target

Central cloud services make life easier: one system, accessible everywhere, always up to date. But that same centralisation makes such a platform an attractive target. Whoever gets in once has access to the data of thousands of organisations at once. That is precisely why attackers focus on large suppliers rather than individual institutions. You saw the same pattern in the attack on healthcare supplier ChipSoft, where one system hit a large part of the Dutch hospital sector.

For education this is extra relevant. Universities and colleges often share the same core applications (learning platform, student administration, email), so an attack on one supplier hits the whole sector at the same time. The dependency is large and the alternatives are limited.

The lesson for awareness professionals: you cannot remove all risk at your supplier, but you can prepare your organisation for the scenario where a central service is taken over. Those who know what to do limit the damage.

Start with the risk analysis: work through the whole CIA triad

Preparing for an outage does not start with a playbook, but with a risk analysis. The CIA triad helps you determine, per system, which requirements apply to confidentiality, integrity and availability, and which measures fit. Work through all three deliberately instead of looking only at the consequences of a leak. Want the distinction between these three and the GDPR concepts clear? Read about the difference between the CIA triad and the GDPR.

Availability: how bad is it if this platform is down for a day or a week? If availability must be high, heavier measures are needed. Ask whether failover to an alternative platform is possible, whether you have a recent backup outside the platform, and whether you can separate the data from the platform. With your own export or copy, you can carry on with your courses, grade administration or services more quickly during an outage.

Integrity: can you trust that the data has not been tampered with? After an intrusion you must be able to establish whether grades, records and enrolments still hold. Without a way to verify, you do not know whether you can rely on the data, and after recovery that can be just as paralysing as the outage itself.

Confidentiality: which data is so sensitive that exposure causes the greatest damage? By classifying your data you know what needs extra protection and what demands attention first after a leak. You make that distinction up front, as described in data classification and the need-to-know principle.

By working through all three together you avoid focusing only on availability and forgetting integrity or confidentiality. Awareness here means that non-technical colleagues think along too: they know best which failing system halts their work and which data is crucial in their process.

The most dangerous phase begins after the breach

As with other large breaches, the theft itself is not the biggest risk to the user. Follow-up phishing is. With names, email addresses and the knowledge that someone is a student or employee at a specific university, criminals can send highly convincing messages. This is the same mechanism that led to a wave of fake messages after the Odido breach.

After an education breach, expect waves of fake emails: 'check whether your data was leaked', 'log in again to Canvas via this link', or 'your enrolment is expiring, confirm now'. Precisely because the news is widely known, criminals ride it immediately.

Students are a vulnerable group here: young, busy and used to a lot of digital messages from their institution. Awareness must therefore target not only staff, but also the way the institution communicates with students.

What a data processing agreement has to do with this

When a supplier processes your data, your organisation usually remains the controller under the GDPR. That means you must set agreements in advance in a data processing agreement: which security measures does the supplier take, how and how quickly do they report an incident, and who informs those concerned?

The Canvas incident made clear how important those agreements are. The faster and clearer a processor communicates, the sooner the institution can report and warn its people. Awareness and procurement meet here: the people who sign contracts help determine how well you can respond later.

For awareness professionals this is a chance to broaden the conversation: supplier risk is not only a technical or legal topic, but also a behavioural and communication issue.

How to embed this in your awareness programme

Use the Canvas incident to put two things on the agenda at once: the dependency on central cloud platforms and the importance of alertness in the period after a breach.

Tune your campaign to the audiences that really matter: procurement and officers who manage contracts, plus the communication channels towards students or customers.

  • Audience and cadence: give procurement and privacy officers a module on data processing agreements and reporting arrangements; give communication and front-office teams a playbook for phishing after a breach.
  • Start with the risk analysis: determine, per core system, the requirements for confidentiality, integrity and availability, and define failover and backup measures for systems where availability must be high.
  • Agree in advance which messages you do and do not send (e.g. never a login link in an email), so fake messages stand out sooner.
  • Practise the scenario where a central platform goes down or is taken over: how do you communicate, and how do you carry on temporarily on a separated copy of the data?
  • Want to anchor this? See how it works with a security awareness programme.

Related articles

FAQ

Why did one attack hit so many universities at once?

Because many institutions use the same central learning platform (Instructure's Canvas). An intrusion at that one supplier gives access to the data of thousands of organisations worldwide at once. This is concentration risk: one central platform means one central target.

What is the biggest risk to students and staff after this breach?

Not the theft itself, but follow-up phishing. With names, email addresses and the knowledge that someone is tied to a specific university, criminals can send convincing fake emails, such as 'check whether you were leaked' or 'log in again via this link'. You need to warn for that specifically.

How do you prepare an organisation for the outage of a central platform?

Start with a risk analysis based on the CIA triad (confidentiality, integrity, availability). If availability must be high, take appropriate measures: check whether failover to another platform is possible, whether you have a recent backup outside the platform, and whether you can separate the data from the platform so you can carry on quickly with your own export. Then also work through integrity (is the data still correct?) and confidentiality (what is most sensitive?), and practise the failover scenario in advance.

Who is responsible when the supplier causes the breach?

Under the GDPR your organisation usually remains the controller, even when the supplier (the processor) causes the breach. That is why you set out in advance, in a data processing agreement, which security the supplier provides, how quickly they report incidents and who informs those concerned.

Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles