Instructure Faces Multiple Lawsuits After Canvas Breach Exposes 275 Million Records

Context Instructure operates Canvas, a cloud‑based learning management system used by more than 8,000 schools and universities. The breach, attributed to the hacking group ShinyHunters, involved unauthorized access to stored records including names, email addresses, student IDs, private messages, and enrollment data. Plaintiffs allege the information was kept in plain text and that Instructure failed to apply reasonable security controls despite having the resources to do so.

Key Facts - The cyberattack exposed personal data of over 275 million students and teachers. - More than six lawsuits were filed against Instructure in Utah and New York federal courts within the past week. - California, Connecticut, and New York settled with Illuminate for $5.1 million, with California receiving $3.25 million in penalties.

What It Means The litigation mirrors the FTC’s action against Illuminate, where similar allegations of unencrypted data storage and delayed notice led to a consent order and state settlements. If courts find Instructure liable, the company could face damages, mandatory security overhauls, and regulatory fines comparable to the Illuminate case.

What Defenders Should Do - Encrypt all stored personal data at rest and in transit (AES‑256 or stronger). - Enforce multi‑factor authentication for privileged accounts and review IAM permissions for least privilege. - Deploy cloud security posture management tools to detect misconfigured storage buckets or exposed APIs. - Monitor network traffic for large‑volume exfiltration using signatures for uncommon outbound protocols (MITRE ATT&CK T1041). - Patch known vulnerabilities promptly; prioritize CVEs affecting web application frameworks and third‑party libraries. - Test incident response plans with tabletop exercises focused on data breach notification timelines.

Watch for upcoming court rulings on the Canvas lawsuits and any state attorney general announcements that could shape future penalties for ed‑tech vendors.