Multiple post-secondary institutions across Canada have been impacted by a cyberattack targeting Canvas, a learning platform used by thousands of schools globally to manage student coursework, grades and education materials.
Technology company Instructure launched an investigation on April 29 after detecting "unauthorized activity" in the system. The company says information affected by the attack may include names, emails and messages exchanged within the platform, but there is no evidence that passwords, financial information or government identifiers have been compromised.
In Ontario, schools including the University of Toronto, Mohawk College, OCAD University and Western University's Ivey Business School were among the 9,000 schools impacted by the incident worldwide. British Columbia schools including UBC and Simon Fraser University also reported being impacted, as well as the University of Alberta.
Instructure says Canvas went offline temporarily but is now available to use. An investigation into the breach is ongoing with a third-party forensic firm and law enforcement.
Canada's federal privacy commissioner acknowledged a request for comment on the cyberattack but did not immediately provide a response.
The Instructure breach follows the October sentencing of a Massachusetts man who pleaded guilty to the cyber extortion of two companies, including education software firm PowerSchool, in a 2024 cyberattack affecting current and former students, parents and staff at some school boards in the U.S. and Canada. Privacy watchdogs in Ontario and Alberta investigated the PowerSchool breach, concluding in a report last November that more than five million Canadians were affected by the cyberattack and school boards lacked adequate response plans.
