CMC Issues Education Sector Guidance After Canvas Data Breach

The UK’s Cyber Monitoring Centre (CMC) has released its assessment of the Canvas data breach affecting Instructure’s Learning Management System, just ahead of the education technology firm’s own findings expected next week. Approximately 160 UK higher education institutions were impacted, with threat actors stealing confidential course and user data. Globally, an estimated 9,000 educational institutions may have been compromised.

Though the incident did not reach the CMC’s minimum threshold for categorization, the review aims to refine understanding of the financial impact of data breaches, improve the CMC’s data breach analysis model, and provide deeper insight into cyber risk within the UK higher education sector. The CMC classifies a cyber-attack as a ‘Category 1 event’ when losses exceed £10 million ($13 million) or when it affects more than 0.01% of UK organizations. For comparison, the 2025 attack on Jaguar Land Rover was ranked a Category 3 systemic event on the CMC’s five-point scale.

The CMC noted that the Canvas incident highlights how data breach events differ from large-scale disruption events in their financial profile. “In this case, losses appear to be driven more by response, recovery, and risk management activity than by prolonged business interruption,” the review stated.

How the Canvas Cyber-Attack Unfolded

On April 29, Instructure detected unauthorized activity in Canvas, attributed to a cybercriminal organization known for large-scale attacks across multiple sectors, including technology and education. On May 7, 2026, the same threat actor exploited a second Canvas vulnerability, altering pages displayed to some students and teachers during login sessions. A defacement message appeared on roughly 330 institutional Canvas login pages, leading many to suspect the ShinyHunters extortion group was behind the attack, though Instructure has not confirmed attribution. Instructure confirmed on May 9 that Canvas was fully operational again. CrowdStrike is assisting with the forensic investigation, which Instructure said was conducted using one of its Free-For-Teacher accounts.

Cyber Monitoring Centre Review and Recommendations

Despite the widespread impact, the CMC found no evidence of lateral movement by threat actors into other institutional systems. The recommendations, described as “common good practice” reinforced by the Canvas analysis, include:

• Align architecture with risk: Prioritize protection of mission-critical systems and high-value services based on the organization’s risk appetite.Canvas Incident Underscores Phishing Risks and Need for Clear CommunicationEffective communication emerged as a key recommendation for organizations responding to incidents, including sharing sufficient technical detail to allow partners and customers to assess their exposure and conduct their own investigations. The CMC also advised that software providers maintain accurate customer contacts, such as CIOs or CISOs, for incident notifications.Following the breach, Instructure stated it had “reached an agreement with the unauthorized actor involved in this incident,” though it did not disclose whether a ransom was paid. The CMC cautioned that promises to delete data after a ransom payment, even with apparent technical proof, are unreliable. In this case, the primary risk to students and others is not direct extortion but rather the potential for exfiltrated data to be used in sophisticated phishing campaigns. Canvas said it does not expect the compromised information to be made public but urged those affected to remain vigilant against phishing, smishing, and vishing scams.