The Cyber Monitoring Centre (CMC) has reviewed the Canvas cyber incident affecting Instructure’s Learning Management System. The purpose of this review was to better understand the financial impact of data breach events, inform the development of the CMC’s data breach analysis model, and deepen insight into cyber risk within the UK higher education sector.
The estimated UK financial impact is below the CMC’s minimum category threshold and so a formal assessment has not been carried out. For an incident to be considered a Category 1 event it is required to have a loss of £10M or impact more than 0.01% of UK organisations. The financial impact of the Canvas incident does not meet that threshold, but our analysis has added to our body of knowledge and highlights actions to improve resilience in the UK education sector, with wider applicability to other sectors.
The incident, which gained significant public attention, involved unauthorised access to the Canvas platform, resulting in the exfiltration of user and course data, followed by a period of service disruption in early May. Approximately 160 UK higher education institutions were affected, although disruption was generally limited in duration and scope due to mitigating factors including the reliance on human-led delivery and the availability of alternative teaching arrangements.
Event Overview
At the end of April 2026, Instructure identified unauthorised malicious access to its Canvas Learning Management System (LMS), a widely used platform in the higher education sector.
As part of the attack, threat actors exfiltrated confidential course and user data, including:
- Usernames and email addresses;
- Student IDs;
- Course names;
- Enrolment information;
- In limited instances, messaging data
The threat actors then sought to increase pressure on Instructure by publishing lists of impacted organisations, disrupting the Canvas platform, and defacing virtual learning environments (VLEs). This contributed to Instructure paying an undisclosed ransom in an effort to limit customer impact.
Approximately 160 UK higher education institutions were impacted. This includes approximately 70 universities, 50 colleges and 40 specialist schools, alongside other higher education bodies. This assessment is based on media reporting, information published by Instructure, and internet scanning data.
Many higher education providers demonstrated inherent resilience due to the nature of their services and reliance on human capital. Alternative teaching platforms and locally stored course materials were widely available, which helped to limit operational disruption and financial impact.
At the time of assessment, there is no evidence of lateral movement by the threat actors into other institutional systems. The primary residual risk relates to the confidential data that was exfiltrated, including the potential for phishing or follow-on social engineering activity.
Recommendations arising from this event
The CMC Technical Committee has the following recommendations for higher education establishments, which are also applicable to other sectors. These recommendations are common good practice, but are reinforced by our analysis of this event:
- Align system architecture with risk
Higher education providers (and other organisations) should design their system architecture so that mission‑critical services and infrastructure supporting high‑value or revenue‑generating courses are identified, protected and prioritised. The selection of software solutions and commodity products should reflect the institution’s risk position, risk appetite and risk tolerance. - Separate application and data layers
Where possible, separate application and data layers to support data integrity, recovery, and post-incident validation. - Apply multi-factor authentication (MFA) consistently
There continue to be instances where MFA guidance is not followed, or is poorly configured, leaving organisations exposed. - Manage third-party access and privileges
Ensure that third-party account privileges and access levels are carefully configured, avoiding excessive access across the estate. This includes identifying all assets in the supply chain for provision of services. - Understand dependency on offshore providers
Ensure a comprehensive understanding of any critical dependencies on service providers. Where these include offshore providers, consideration should be given to the fact they may not be subject to UK law, which could affect their approach and limit the support available from the NCSC and others in the event of an incident. - Implement SaaS security controls and configurations
Adopt SaaS provider security procedures and recommendations to reduce the risk of misconfiguration and breach. - Practise breach scenarios and business continuity responses
The event is instructive and could easily have been more damaging. Institutions can learn from the incident and use it as the basis for business continuity exercises. Organisations should identify other SaaS platforms they rely on heavily, run outage scenarios for those platforms, and rehearse their ability to recover.
For organisations responding to a breach event, the Technical Committee recommends:
- Deliver prompt technical information
Organisations should provide early, clear communication, including sufficient technical detail to enable partners and customers to assess their exposure and undertake their own investigations. This should include a realistic assessment of system security while forensic investigations are ongoing.
Software providers should maintain appropriate customer contacts (e.g. CIOs, CISOs) for incident notifications and understand relevant regulatory reporting requirements across customer jurisdictions. - Carefully consider communication of risk following ransom payments
Previous law enforcement operations (like the disruption by law enforcement of the LockBit ransomware group) have shown that promises to delete data, including passing on apparent technical proof of deletion, are unreliable. In this case, the ongoing risk to students and others is unlikely to be direct extortion. A more likely risk is that the exfiltrated data could be used to target them with more sophisticated phishing emails. Risks should not be overstated, but they should be set out in clear terms.
This onward risk of data manipulation for criminal purposes is one of the main reasons societies care about data breaches. In cases such as this, the direct primary cost to organisations might be very low, but the more general harm is the placing of personal data in the hands of criminals for potential further exploitation.
As part of incident planning, organisations should ensure they can communicate clearly and authoritatively the concerns following a data breach incident, carefully articulating the risks to which individuals are, and are not, exposed. Organisations should look to avoid giving false reassurance in an environment where it is hard to predict future threat actor behaviour.
Conclusion
This event illustrates how data breach events can differ from large-scale disruption events in their financial profile. In this case, losses appear to be driven more by response, recovery, and risk management activity than by prolonged business interruption.
It also reinforces that sector-specific characteristics matter. In higher education, reliance on human-led delivery and the availability of alternative teaching methods contributed to resilience that may not exist in more automated sectors.
The event also demonstrated the value of a collective response through industry bodies and the positive impact of information-sharing across impacted organisations.
Finally, the event highlights the need for better measurement of data breach impacts, which remain less well understood than operational outage events. The CMC is continuing to invest in its models to assess the impact of data breach events.
About the Cyber Monitoring Centre
The Cyber Monitoring Centre is an independent, non-profit organisation responsible for analysing and categorising cyber events that impact UK organisations.
Events are categorised by an independent technical committee made up of leading cyber experts and based on analyses of data from leading providers. Event categorisation and event reports are made publicly available to help increase the understanding of the impact of cyber events and improve cyber mitigation and response plans. Detailed CMC analysis and data are provided to CMC Members.
Full details of the CMC’s methodology and categorisation matrix can be found here and full details of the CMC’s Technical Committee can be found here.
Disclaimer
The Cyber Monitoring Centre provides event categorisations free of charge that are publicly available to all. No liability is accepted for the use of, or reliance on event categories. Event categorisations are determined based on the information available. All reasonable endeavours are used to try to ensure accuracy of the information used in providing the event categorisation. However, the Cyber Monitoring Centre makes no representations or warranties of any kind, whether express or implied, as to the completeness, accuracy, reliability or suitability of the event categorisation or any supporting information, any of which may be subject to change without notice.