The Canvas Breach: What School Boards Should Ask This Week

By Ryan Speak, Co-founder and CTPO, Arvoe. 10 May 2026.

The Instructure/Canvas breach is one of the largest education-sector data incidents on record. Threat actors have claimed approximately 9,000 institutions and up to 275 million users were affected, though those figures are unverified by Instructure. In Australia, the Office of the Australian Information Commissioner (OAIC) has confirmed that affected providers include universities, vocational providers, and some state schools, and several institutions have issued their own notifications.

Instructure's communications have emphasised what was not in the exposed data: no passwords, no dates of birth, no financial information, no government identifiers. Several Australian institutions have echoed that framing in their own notifications, and reporting indicates the NSW Department of Education's view of the immediate risk is low. But the structured-data summary leaves out the part of Canvas that potentially holds the most sensitive content: the messages between teachers, students, and pastoral staff. For boards of non-government schools, that distinction matters more than it does for the state systems, and it changes what this week's risk committee should actually be discussing.

This post is for chairs, principals, and risk committee members thinking about what the breach means for their school, and what to put on the next agenda. It is not technical advice. It is the governance read.

What's actually in the leaked data

The structured data that was confirmed exposed is the obvious stuff: names, email addresses, and student identification numbers. Where the conversation gets harder is the unstructured data: the several billion private messages ShinyHunters claims to have exchanged between teachers, students, and staff inside Canvas.

Canvas is a learning management system, but in practice it is also a communication platform. Teachers message students about late assignments, missed classes, and pastoral concerns. Pastoral care staff message students about welfare check-ins. Students message teachers about home situations, illness, family disruption, and, sometimes, things that should have been escalated to a designated child protection officer instead.

None of those conversations have a "date of birth" field. But they can contain dates of birth, welfare disclosures, medical detail, family situations, and conversations a child trusted to one teacher. Free text is often where the sensitive content lives.

The relevant distinction is this: the absence of a date-of-birth field in the structured records is not the same as the absence of dates of birth in the leaked data.

Independent commentators, including Brian Krebs, have pushed back on this framing. Australian commentary, including Secure ISS's 8 May advisory, has made the same point in more measured terms. Some have called this style of messaging "incident theater": technically true statements that add up to a misleading picture.

For the board, the question is not whether Instructure's communications are technically correct. The question is whether the school's read of the risk is accurate enough to defend later.

Why the distinction matters more for non-government schools than for state schools

The Privacy Act 1988 and the Notifiable Data Breaches scheme apply differently across the Australian education sector.

Most state schools and public universities are exempt from the federal Privacy Act because they are state government entities, governed instead by state-level privacy frameworks. The OAIC's 8 May statement on the Instructure incident said it was aware of the incident and noted that not all educational institutions are covered by the Privacy Act. State and territory government schools are usually governed by state privacy laws. Public universities and TAFEs are generally exempt unless they operate as private entities.

Non-government schools, in most cases, are APP entities, meaning they are bound by the Australian Privacy Principles (APPs) under the Privacy Act. They are within scope. The Notifiable Data Breaches (NDB) scheme applies. For many of these schools, the 30-day NDB assessment period may already be running, depending on when the school became aware of the incident.

The threshold for notification is whether the breach is "likely to result in serious harm" to any of the affected individuals. Whether that threshold has been crossed depends, materially, on what is in those free-text messages. A breach of student IDs and email addresses, in isolation, is unlikely to clear the threshold. A breach that includes welfare disclosures involving minors, or pastoral conversations of the kind teachers and counsellors routinely have through Canvas, is a different question entirely.

The board does not need to make the legal call this week. But it does need to know that the call exists, that "Instructure says we're fine" is not the answer to it, and that the school has a process to work it through.

The pattern this fits into

The Canvas breach is not an isolated event. It is the second Instructure incident in eight months. The prior breach, in September 2025, exposed customer data through a Salesforce-related compromise, and reporting suggests the May 2026 incident is connected to issues from that earlier breach, though the full picture is still being worked out. Closer to home, in December 2024 the Fog ransomware group claimed an attack on Waverley Christian College, a K-12 independent school in Victoria, with five gigabytes of data reportedly stolen and the college confirming the incident. In January 2026, the Victorian Department of Education disclosed a breach affecting its government-school network, reported by multiple outlets as covering all 1,700 schools.

The UK's Cyber Security Breaches Survey 2025/2026, published in April, found 49% of primary schools and 73% of secondary schools identified a breach or attack in the past twelve months, with the secondary rate up from 60% the year prior. The threat tempo is rising, ransomware groups are targeting peer institutions by name, and the next incident in your school's environment is more likely to come from a vendor or threat actor you have not yet heard of than from one you have.

That has implications for governance posture. The schools that treat tracking these signals as a routine input into board and risk committee discussions, rather than reading about them after the fact, have a different starting position when an incident lands.

What boards should ask this week

If Canvas is in your school's environment, these are the questions that belong on the next risk committee or executive agenda.

1. What data did Canvas hold about our school community?

Not "what categories of data did Instructure list in their statement." What did our Canvas tenant actually contain. Names, IDs, and emails are the floor. The real question is what was being communicated through Canvas messages, and by whom, to whom, about what.

2. Has anyone reviewed a representative sample of the messages?

Someone at the school, ideally the person who leads wellbeing or child safety, should look at a representative sample of teacher-student messages from the last six to twelve months. Not to read every conversation. To form a view on what categories of sensitive content are present, so the school's NDB assessment is grounded in evidence rather than assumption. This needs to be done by someone with the standing to do it, typically the deputy principal or director of student wellbeing, and any mandatory reporting obligations triggered by what they see apply independently of the breach.

3. Who owns the NDB assessment, and by when?

The 30-day clock under the NDB scheme starts when the school becomes aware of an actual or suspected breach. For most APP-entity schools, that awareness window opened during the first week of May. The board should know who owns the assessment, what the deadline is, and who is empowered to make the notification decision. If the answer is "the principal will work it out," that is not a process. That is the absence of one.

4. Have we engaged our cyber insurer?

Most cyber policies require early notification of an incident, often before the school knows whether there is a real problem. Failing to notify can void cover. If the school has not contacted its cyber insurer, that should happen this week.

5. Where are the gaps in our parent communications plan?

A general letter to all parents about the breach is straightforward. The harder communications are the targeted ones: families whose children's welfare conversations may have been in the leaked content. Those families need a different conversation, not a generic letter. The board does not need to draft those communications. It needs to know that someone is thinking about who they are.

6. Who decides whether we change vendors, and on what threshold?

Most schools have never answered this. The reflexive "we'd switch LMS providers" answer is rarely the right one. Most commentary on this incident has focused on contracts and incident readiness rather than vendor switching, and switching mid-year creates its own risks. But the underlying governance question is real and unresolved at most schools: who has the authority to make a vendor-change call, on what threshold, with what board involvement, and on what timeline. If the school's answer to that question only emerges in the middle of the next incident, it is the wrong moment to be discovering it.

7. What is our list of other Canvas-shaped vendors?

This is the question that outlasts the incident. Canvas is one of dozens of EdTech vendors holding sensitive data on the school's community. The school's third-party EdTech register, if it exists at all, is probably out of date. A breach of equivalent severity could come from any of the others next month. The work that protects the school from the next incident is not better Canvas controls. It is a register, a risk rating, and a 24-hour decision tree for any of them.

What the board should not do

A few cautions, because the failure modes here are predictable.

Don't pivot to "we need a new LMS." Switching learning management systems mid-year, in a panic, after an incident the entire global market just lived through, is not a board-level response. It is a knee-jerk one.

Don't accept reassurance as a substitute for evidence. "Instructure has confirmed Canvas is back online" is operational news, not a risk assessment. The board's job is to ask for the evidence behind the reassurance.

Don't conflate the operational response with the governance response. The IT team is rotating credentials, reviewing API integrations, and reinforcing multi-factor authentication. That is the operational layer, and it is necessary. The board's layer is whether the school's governance posture, before this incident, was the one it would have wanted in retrospect. If the answer is no, the board's job is to fix that, not to second-guess the operational response.

The longer arc

The pattern is not that any one vendor is uniquely insecure. The pattern is that every school depends on a long tail of third-party vendors, most of which it cannot itself secure, and none of which it can decline to use without disrupting teaching and learning.

The governance question this incident asks, and that the next one will ask again, is not about Canvas. It is about whether the school knows which of its vendors are critical, which are sensitive, what data they hold, what their breach notification obligations are, who owns the relationship, and what the school does on day one of an incident.

Most schools cannot answer those questions in the time pressure of an incident. The schools that handle the next one well will be the ones that built the answers into their governance rhythm before the next one arrives.

A note on what this post is and isn't

This is not a Canvas-specific post. It is one practitioner's read on what the breach is asking of school boards in Australia.

If you are a chair or risk committee member working through this with your board this week, the most useful thing you can do is sit with the seven questions above, in order, and write down the answers. Where you don't have one, the gap is the work. If you are a principal, your week looks different. The operational response comes first, and these are the governance questions that follow it.