The UK’s Cyber Monitoring Centre (CMC) has shared its analysis of the Canvas cyber incident affecting Instructure’s Learning Management System as the education technology firm prepares to share its own findings next week.
The CMC said that approximately 160 UK higher education institutions were affected and threat actors exfiltrated confidential course and user data. In total, around 9000 educational institutions are thought to have been affected worldwide.
While the incident has not met the CMC’s minimum category threshold, the review aims to better understand the financial impact of data breach events, inform the development of the CMC’s data breach analysis model and deepen insight into cyber risk within the UK higher education sector.
The CMC considers a cyber-attack a ‘Category 1 event’ if it has loss of £10m ($13m) or impact more than 0.01% of UK organizations. For context, the 2025 cyber-attack against Jaguar Land Rove was ranked as a Category 3 systemic event on the five-point CMC scale.
The CMC said that the Canvas event illustrates how data breach events can differ from large-scale disruption events in their financial profile.
“In this case, losses appear to be driven more by response, recovery, and risk management activity than by prolonged business interruption,” the CMC review said.
On April 29, Instructure detected unauthorized activity in Canvas. The company said this activity was carried out by a cybercriminal organization known for large-scale attacks across multiple sectors, including technology and education.
On May 7, 2026, the same threat actor gained additional access through a second Canvas vulnerability. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas
A defacement message which appeared on approximately 330 institutional Canvas login pages led many to conclude that the ShinyHunters extortion group was at the center of the cyber-attack. Attribution has not been confirmed by Instructure.
The firm confirmed on May 9 that Canvas was fully online and available for use.
CrowdStrike is involved in the forensic investigation into the incident, which Instructure said was carried out using one of its Free-For-Teacher accounts.
The CMC said that despite the number of higher education institutions affected, there is no evidence of lateral movement of the threat actors into the other institutional systems.
The recommendations outline by the CMC were described as “common good practice” for higher education establishments that have been reinforced by analysis of the Canvas event. These include:
Communication was also a key recommendation for organizations responding to an incident including sharing sufficient technical detail to enable partners and customers to assess their exposure and undertake their own investigation.
Further, the CMC said that software providers should maintain appropriate customer contacts – for example the CIO or CISO – for incident notifications.
Following the incident, the education technology firm said it had "reached an agreement with the unauthorized actor involved in this incident." However, it did not state whether money exchanged hands.
The CMC noted that following a ransom payment, promises to delete data, including passing on apparent technical proof of deletion, are unreliable.
In this case, the ongoing risk to students and others is unlikely to be direct extortion. A more likely risk is that the exfiltrated data could be used to target them with more sophisticated phishing emails.
Canvas said it does not expect the information involved to be made public but highlighted that those affected should remain vigilant for phishing, smishing and vishing scams.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。