Instructure Data Incident Public Notice

Utah System of Higher Education
Office of Research and Data Science
Higher Education Privacy Officer

Update: May 8, 2026, 12:26 p.m.

Instructure, an educational software vendor used by several Utah System of Higher Education (USHE) institutions, has announced that it experienced a data security incident as a result of an attack by a criminal threat actor. USHE institutions contract with Instructure for Canvas, the primary web-based learning management system used by many USHE institutions. Instructure has notified several USHE institutions (listed below) that personally identifiable information about students and instructors at those institutions was disclosed in this incident.

What Information Was Compromised?

According to Instructure, the incident resulted in the compromise of names, email addresses, student ID numbers, and user messages. The compromised information relates to students, instructors, and other users. Instructure does not believe that passwords, dates of birth, government identifiers, or financial information were compromised. While media reports and information from non-USHE institutions suggest that this incident affects a very large number of users at many educational institutions and the threat actor has made unconfirmed claims about individuals and institutions involved, Instructure has not yet identified affected users or confirmed the involvement of specific institutions.

What is Being Done About This Incident?

USHE and its institutions are actively monitoring the situation and are committed to assessing and addressing the potential ramifications of this incident. USHE has notified the Utah Cyber Center and the Utah Office of the Attorney General on behalf of affected USHE institutions.

Due to the scope of this incident and the fact that the data systems that were compromised are operated by Instructure, not USHE institutions, Instructure is the focus of the response to this incident. Instructure has restored most normal Canvas functions. The company is providing information about its response to affected institutions but has not yet identified affected users. Instructure has engaged a third-party forensics firm and has notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners. Based on the remedial action that it has implemented, the company believes that both the initial incident discovered on April 29 and the subsequent incident of May 7 have been contained.

Independent of Instructure, affected USHE institutions are taking steps to identify potentially affected users and compromised data. Institutions have previously taken preventative measures in anticipation of the possibility of attacks such as this, which USHE believes may have reduced the number of users involved and the amount of data compromised.

What Can Students Do to Protect Themselves?

Because this incident involves Instructure’s systems and not USHE’s or any USHE institution’s, there is nothing more that students need to do to secure their institutional accounts or data. The compromised information will not allow access to a student’s Canvas or institutional accounts.

Students and other Canvas users should remain cautious of unsolicited emails claiming to be from Instructure, Canvas, or their institutions, especially emails asking them to provide personal information or instructing them to reset passwords. Changing passwords is unnecessary, but users who wish to change their passwords as a precaution should do so by accessing their institution’s website or Canvas directly rather than through a link in an unsolicited email.

In accordance with federal guidelines for protection against identity theft after a data incident, USHE encourages affected students to remain vigilant about potential indications of identity theft over the next 12 to 24 months and to report suspected identity theft incidents to their institutions and, if appropriate, law enforcement authorities.

The Federal Trade Commission (FTC) provides useful information to help protect affected students from identity theft at identitytheft.gov/databreach. If affected students find that their personal information has been misused, they can visit the FTC’s site at IdentityTheft.gov to report the identity theft and get recovery steps.

Instructure has stated that information regarding identity protection resources for affected individuals will be forthcoming as its investigation progresses.

As always, USHE recommends that students practice good data security habits and adhere to their institution’s recommended security practices.

What is Instructure?

Instructure is a private education technology company that provides Canvas, a learning management system used to provide online content for fully online and hybrid courses. USHE institutions contract with Instructure for Canvas and, as permitted under the federal Family Educational Rights and Privacy Act (FERPA), provide student data to Instructure as needed for use in Canvas.

What Happened in the Incident?

According to Instructure, the incident took place between April 25 and April 30; the company discovered the incident on April 29. Instructure believes that a criminal threat actor compromised application programming interfaces (APIs) within Instructure’s data systems used to communicate data between applications. The actor was then able to use the compromised APIs to extract user data. The threat actor issued ransom demands on May 7 directed at Instructure, threatening to publish the user data that were visible to Canvas users.

This data incident involved only Instructure’s data systems. No systems managed by USHE or any institutions have been compromised, and no institutional data that was not sent to Instructure has been affected. Instructure believes that its systems have been secured against further intrusion.

Who to Contact for More Information?

Information from Instructure is available on the Instructure system status website. The company has not provided information regarding which users have been affected by the incident at this point, citing its ongoing investigation. Affected students can contact their institution’s data privacy officer for more information.

More information from USHE institutions regarding this incident is available online at:

• Davis Technical College
• University of Utah
• Utah State University
• Utah Valley University
• Snow College
• Southern Utah University
• Southwest Technical College
• Utah Tech University
• Weber State University

USHE will update this notice as more information becomes available.