Canvas by Instructure Data Breach

Canvas by Instructure Data Breach

Hawkins County Schools

May 8, 2026

Updated: May 13, 2026

May 13, 2026

To: All Students, Faculty, and Families

We are providing an update to our previous communication regarding the security incident involving Instructure, the provider of our Canvas Learning Management System.

Instructure has shared a significant development regarding the data that was accessed during this event.

Latest Developments: Data Recovery

Instructure has informed us that they have reached an agreement with the unauthorized actor involved in this incident. According to the vendor:

  • Data Returned: The data has been returned to Instructure.

  • Assurances of Deletion: The vendor received assurances that the data will not be shared on the "dark web" or elsewhere, and they received proof that copies of the data were deleted.

  • No Extortion: Instructure was informed that no individual customers (schools or districts) will be targeted for extortion as a result of this incident.

What This Means for You

While there is never 100% certainty when dealing with cyber criminals, Instructure believes this step was necessary to protect the community and provide peace of mind. This agreement covers all Canvas customers, meaning there is no need for any individual student, parent, or teacher to engage with outside parties regarding this matter.

Next Steps

We remain in an "alert but normal" status.

  1. Continue using Canvas: The platform remains secure and fully operational.

  2. Remain Vigilant: Despite the vendor's agreement with the actor, we still recommend being cautious of suspicious emails (phishing) that may use your name or email address.

  3. Official Updates: We will continue to pass along meaningful updates as we receive them from Instructure.

We appreciate your continued patience as we navigate this complex situation. Our priority remains the protection of our students' and staff's information.

Original Post:

Date: May 8, 2026

To: All Students, Faculty, and Families

We are writing to share important information regarding a series of cybersecurity incidents recently reported by Instructure, the provider of our Canvas Learning Management System. We have been monitoring the situation closely and are providing this update to ensure our community is informed of the facts provided to us by the vendor.

Timeline and Current Status

  • Late April 2026: Instructure detected that a criminal threat actor gained unauthorized access to their platform.

  • May 7, 2026: Further unauthorized activity prompted Instructure to take Canvas offline globally in "maintenance mode" as a security precaution.

  • Current Status: Canvas is fully back online and operational. Instructure has remediated the underlying vulnerability and implemented enhanced monitoring.

Scope of the Incident

Instructure has identified the entry point as "Free-For-Teacher" accounts. It is important to note that our district utilizes a professional Institutional Account, which is a more secure, managed environment. Furthermore, we have received no reports of unauthorized changes to any of our district’s course pages or dashboards during these events.

What Information Was Involved?

According to the information received from Instructure, the data associated with institutional accounts that may have been accessed includes:

  • User Profiles: Names and email addresses.

  • School Identifiers: Student and staff ID numbers.

  • Canvas Inbox: Internal messages sent through the platform.

At this time, Instructure reports no indication that passwords, dates of birth, government identifiers (SSNs), or financial information were involved.

Ongoing Investigation

While we have the general categories of data involved, we do not yet know the full extent of the impact on our specific district. Instructure’s forensic teams are working around the clock to provide us with organization-specific data. We are committed to sharing more detailed information with you as soon as it is confirmed and provided to us.

Recommended Awareness

Because names and school email addresses were involved, we ask all students, staff, and parents to be vigilant regarding phishing attempts. Please be cautious of any unsolicited emails or messages—even those that appear to be from the school or Canvas—asking for personal information, login credentials, or payments.

The security of our students' and staff's information is our top priority. We will continue to provide updates as we receive more pertinent information from Instructure.

Questions? Please contact Loralee Price here.