methaphum - stock.adobe.com

News

Canvas breach hit 160 UK unis but caused limited damage

The April 2026 ShinyHunters breach of the Canvas learning management system caused downstream impacts at more than 150 higher education institutions in the UK, but the damage appears to have been limited

Alex Scroxton
By
Published: 25 Jun 2026 16:49

The April 2026 cyber incident that hit Infrastructure Holding’s Canvas learning management system (LMS) is now thought to have affected approximately 160 British higher education institutions but its general impact in the UK was limited, according to a review of the data breach published by the Cyber Monitoring Centre (CMC).

The CMC was established in 2025 with the objective of measuring the impacts of major cyber events – which it ranks on a ‘hurricane’ scale of one to five. It has previously reported on both the Marks & Spencer and Jaguar Land Rover cyber attacks.

The CMC said that the estimated UK financial impact from the Canvas breach was actually below its minimum category threshold – a Category 1 event is required to have a loss of £10m or impact more than 0.01% of UK organisations – therefore it has not carried out a formal assessment.

Instead, it set out to conduct a review to better understand the financial impact of data breach incidents, inform the future development of its analysis model and gain deeper insight into cyber risk factors in higher education to add to its body of knowledge and better help institutions improve their resilience.

“Approximately 160 UK higher education institutions were affected, although disruption was generally limited in duration and scope due to mitigating factors,” said the CMC in its review brief.

“This event illustrates how data breach events can differ from large-scale disruption events in their financial profile. In this case, losses appear to be driven more by response, recovery and risk management activity than by prolonged business interruption.

“It also reinforces that sector-specific characteristics matter. In higher education, reliance on human-led delivery and the availability of alternative teaching methods contributed to resilience that may not exist in more automated sectors,” wrote the review’s authors.

ShinyHunters strikes again

The incident was first reported at the end of April when Infrastructure identified unauthorised access to the Canvas LMS – which is now known to have been orchestrated by the ShinyHunters hacking collective.

The cyber gang was able to exfiltrate confidential data including usernames, email addresses, course and enrolment information, student IDs and – in some instances – messaging data.

ShinyHunters sought to extort Infrastructure, publishing lists of victims, disrupting the LMS, and defacing virtual learning environments (VLEs).

Contrary to all accepted advice, it is now known that Infrastructure gave in to ShinyHunters demands and paid an undisclosed sum of money to destroy the stolen data.

The CMC said that at the time of the assessment there was no evidence to suggest ShinyHunters had moved laterally into other institutional systems, but there remains some residual risk relating to the stolen data, which may yet be used for phishing or social engineering.

Next steps for higher ed

As part of the review, the CMC’s Technical Committee has issued a series of recommendations for the higher education sector – which are also applicable to others.

  • System architecture should be aligned with risk, ensuring mission critical services and infrastructure supporting high-value or revenue-generating activities are protected as a priority;
  • Application and data layers should be separated when possible to support data integrity and recovery after an incident;
  • Multifactor authentication (MFA) should be uniformly applied and correctly configured;
  • Third-party access and privileges should be carefully configured and managed;
  • Dependences on offshore providers not necessarily subject to UK law – such as US-based Infrastructure – should be audited and known;
  • Software-as-a-service (SaaS) security controls and configurations should be properly implemented;
  • Breach scenarios and business continuity responses should be practiced.

The CMC also highlighted the importance of concise, clear, and prompt technical communication with users, customers and other stakeholders, and warned that should a ransom be paid – again this is extremely bad practice – follow-on risks should be carefully communicated to potential downstream victims

The CMC said: “The event highlights the need for better measurement of data breach impacts, which remain less well understood than operational outage events. The CMC is continuing to invest in its models to assess the impact of data breach events.”

Read more about security in the education sector

  • K-12 Dive: Cyber security incidents like the one that hit Instructure threaten the faith placed in schools to protect children and their data, says a leading expert.
  • A zero-day vulnerability affecting Oracle’s PeopleSoft products is being exploited by a ShinyHunters campaign targeting schools and universities.
  • Eindhoven University of Technology has planned MFA and regularly practiced cyber crisis drills – yet it still fell victim to attackers who exploited gaps in its defences.

Read more on Data breach incident management and recovery