Back

Update: Canvas Security Incident

Maureen Keyte - Monday, June 1

6.1.26

Canvas Security Incident

We write to alert you of a communication the University recently received from Instructure (The parent company of Canvas) regarding the cybersecurity breach experienced by their company. The full facts are as follows:

On April 29, 2026, Instructure detected unauthorized activity in Canvas. They immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts to determine the extent of the cybersecurity breach.
1. As the second largest Learning Management System (LMS), Canvas is employed by over 9000 institutions worldwide.
2. While DeSales is not currently an Instructure/Canvas client school. In 2022, while evaluating LMS providers, DeSales utilized a “test instance” of the Canvas platform. During that test, we ran four (4) courses during the Summer and Fall 2022 terms in Canvas.
3. Operationally, there has been no impact to DeSales, as the test instance has not been utilized since January 2023.
On May 5^th, Instructure advised the University that DeSales was potentially impacted by the data security breach on its platform.
Instructure activated its incident response team and has been in contact with client schools about its investigation and potential impacts. Law enforcement has also been notified and investigations of the data breach remain ongoing.
On May 7^th, additional unauthorized activity tied to the same incident was detected. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas.
This breach may have resulted in the unwarranted sharing of personal information of some DeSales University students, faculty, or staff. The data fields involved may include information like usernames, email addresses, course names, enrollment information and messages. Instructure is still validating all findings, but we want to be clear about what we understand was and wasn't affected, at this time.
On May 11^th, Instructure reached an agreement with the unauthorized actors involved in this incident. As part of that agreement:
1. The data was returned to Instructure.
2. They received digital confirmation of data destruction (shred logs).
3. They have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
4. This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
Despite the agreement reached with the unauthorized actors, we at DeSales want to make you aware of the incident so that you are mindful of what has occurred, can review your online digital footprint, and remind you to stay vigilant and safe with your educational and personal information.
1. Instructure has been working diligently to determine the degree of impact on institutions and individual student, faculty, or staff personal information. Once they make final determination, Instructure will update affected institutions. Should DeSales receive further information from Instructure related to the information of our community members, we will share that with you.
2. If it is determined notice is required, affected individuals will be notified directly by Instructure, as is consistent with applicable law and regulatory notice requirements.
In the meantime, it is always a good practice to be cautious of unexpected emails or messages referencing this incident, avoid clicking suspicious links, and report anything unusual to our DeSales IT team at helpdesk@desales.edu.
1. DeSales University students, faculty, and staff should not expect to receive direct communications from Canvas that tie to the LMS and cannot access the “Test Instance” via Single Sign-On (SSO)
2. Treat any message from Canvas requesting to click a link or access the Canvas LMS as suspicious. Phishing Examples may look like “Your assignment did not upload, click here to submit” or “Tuition hold released. Log in to confirm”
3. If you ever logged directly into a Canvas LMS site (in High School or DSU Test instance) using a password instead of SSO, change that password. Anywhere that password was reused, change that password also.
4. Turn on Multi-Factor Authentication (MFA) for any other accounts where you may use DSU credentials for login credentials. Using MFA or dual-factor settings blocks most account takeover attempts, even if passwords are compromise

If you have questions or concerns, please direct them to our IT helpdesk at helpdesk@desales.edu.

Thank you,

Peter Rautzhan, vice president for administration

Ron Spaide, chief information officer

MORE CATEGORIES

1.12.26 (7) 1.19.26 (5) 1.26.26 (5) 10.13.25 (8) 10.20.25 (5) 10.27.25 (6) 10.6.25 (5) 11.10.25 (5) 11.17.25 (9) 11.3.25 (6) 12.1.25 (6) 12.8.25 (8) 2.16.26 (10) 2.2.26 (5) 2.23.26 (6) 2.9.26 (6) 3.16.26 (12) 3.2.26 (8) 3.23.26 (5) 3.30.26 (7) 4.13.26 (9) 4.20.26 (4) 4.27.26 (5) 5.18.26 (5) 5.4.26 (5) 6.1.26 (5) 6.8.26 (7) 9.22.25 (9) 9.25.25 (9) Events (0) General (0) Jobs & Career (0) Must Read (0) News (0) News (0) News and Announcements (0)