The UK’s Cyber Monitoring Centre (CMC) has shared its analysis of the Canvas cyber incident affecting Instructure’s Learning Management System as the education technology firm prepares to share its own findings next week.

The CMC said that approximately 160 UK higher education institutions were affected and threat actors exfiltrated confidential course and user data. In total, around 9000 educational institutions are thought to have been affected worldwide.

While the incident has not met the CMC’s minimum category threshold, the review aims to better understand the financial impact of data breach events, inform the development of the CMC’s data breach analysis model and deepen insight into cyber risk within the UK higher education sector.

The CMC considers a cyber-attack a ‘Category 1 event’ if it has loss of £10m ($13m) or impact more than 0.01% of UK organizations. For context, the 2025 cyber-attack against Jaguar Land Rove was ranked as a Category 3 systemic event on the five-point CMC scale.

The CMC said that the Canvas event illustrates how data breach events can differ from large-scale disruption events in their financial profile.

“In this case, losses appear to be driven more by response, recovery, and risk management activity than by prolonged business interruption,” the CMC review said.

How the Canvas Cyber-Attack Unfolded

On April 29, Instructure detected unauthorized activity in Canvas. The company said this activity was carried out by a cybercriminal organization known for large-scale attacks across multiple sectors, including technology and education.

On May 7, 2026, the same threat actor gained additional access through a second Canvas vulnerability. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas

A defacement message which appeared on approximately 330 institutional Canvas login pages led many to conclude that the ShinyHunters extortion group was at the center of the cyber-attack. Attribution has not been confirmed by Instructure.

The firm confirmed on May 9 that Canvas was fully online and available for use.

CrowdStrike is involved in the forensic investigation into the incident, which Instructure said was carried out using one of its Free-For-Teacher accounts.

Cyber Monitoring Centre Review and Recommendations

The CMC said that despite the number of higher education institutions affected, there is no evidence of lateral movement of the threat actors into the other institutional systems.

The recommendations outline by the CMC were described as “common good practice” for higher education establishments that have been reinforced by analysis of the Canvas event. These include:

• Align architecture with risk: Priorities protection of mission‑critical systems and high‑value services based on the organization’s risk appetite
• Separate application and data layers: Improve data integrity, recovery and validation by isolating these components where possible
• Enforce MFA consistently: Ensure multi-factor authentication is properly implemented across all systems
• Control third‑party access: Limit and closely manage external access privileges across the supply chain
• Assess offshore dependencies: Understand risks linked to overseas providers, including legal and support limitations
• Strengthen SaaS security: Follow provider guidance to avoid misconfigurations and reduce breach risk
• Test incident response plans: Run breach and outage scenarios to improve resilience and business continuity

Canvas Incident Underscores Phishing Risks and Need for Clear Communication

Communication was also a key recommendation for organizations responding to an incident including sharing sufficient technical detail to enable partners and customers to assess their exposure and undertake their own investigation.

Further, the CMC said that software providers should maintain appropriate customer contacts – for example the CIO or CISO – for incident notifications.

Following the incident, the education technology firm said it had "reached an agreement with the unauthorized actor involved in this incident." However, it did not state whether money exchanged hands.

The CMC noted that following a ransom payment, promises to delete data, including passing on apparent technical proof of deletion, are unreliable.

In this case, the ongoing risk to students and others is unlikely to be direct extortion. A more likely risk is that the exfiltrated data could be used to target them with more sophisticated phishing emails.

Canvas said it does not expect the information involved to be made public but highlighted that those affected should remain vigilant for phishing, smishing and vishing scams.