Pulling Back the Curtain on the Canvas Cyber Incident

Written By Doug Levin

Since the lion’s share of K12 SIX’s work with our members involves handling the sensitive operational details of defending schools from active cyber threats, it remains out of the public eye. The downside: our role and the value of our work remains opaque to the wider education community. The recent Canvas LMS cyber incident, however, provides a chance for us to pull back that proverbial curtain and offer a peek into our efforts. The scope and rapid evolution of the incident required significant effort by K12 SIX and its members to determine ground truth and recommend appropriate responses.

Over three weeks, starting Friday, May 1 when Instructure first disclosed it had experienced a security incident, K12 SIX and its members immediately started coordinating and taking collective action:

  • K12 SIX organized and led four separate confidential member briefings to provide updates on incident developments, including—at the invitation of K12 SIX—a briefing joined by Instructure’s CISO

  • K12 SIX also conducted, and confidentially shared the results of, a quick-turnaround survey of members to assess their operational status and actions taken as part of incident response

  • Members submitted threat intelligence that was vetted, enhanced, anonymized, and converted into confidential alerts by K12 SIX analysts who then shared them with the wider membership

  • Other members discussed developments, insights, and questions via secure, real-time chat communications channels established for this purpose

In parallel, the K12 SIX team:

  • Monitored the dark web leak site operated by the threat actor

  • Reviewed historical issues and public discussions raised in GitHub, and discussion forums organized around Canvas’ open-source code, as well as relevant information about the Learning Tools Interoperability (LTI) standard and security model

  • Collaborated and shared threat intelligence with representatives of the community of organizations participating in the Institute for Security and Technology’s K-12 Cyber Defense Coalition, as well as with trusted security researchers and federal partners

  • To ensure accuracy, responded to numerous requests for context and commentary from education and general news reporters, resulting in seven media mentions including a live TV interview with LiveNOW from FOX

While some questions remain unanswered and breach notifications remain in progress, the active cyber-attack against Instructure seems to have come to a conclusion. However, K12 SIX will continue to work with partners to monitor the dark web for leaked credentials or other personally identifiable information associated with the incident, as well as the results of both regulatory and legal challenges stemming from the incident.

When we at K12 SIX say ‘members get more’ this is what we mean. The guidance and resources on our public-facing website represent only a small portion of the work we do. The real work is side-by-side with our member community, day in and day out.

K12 SIX was founded out of the belief that schools both needed and deserved a trusted cybersecurity partner—one that was laser-focused on the unique needs and context of the K-12 education community. We invite eligible education organizations to join us in our work. We are stronger when we work together.

Doug Levin
Next

K-12 Cybersecurity Insider | 5/18/2026 edition