A massive cyberattack targeting the widely used Canvas learning platform has impacted thousands of educational institutions worldwide, including several leading Canadian universities, raising fresh concerns about digital privacy and cybersecurity in higher education.
Among the affected Canadian institutions are University of Toronto, University of British Columbia, University of Alberta and the Ivey Business School at Western University.
Canvas, developed by Instructure, is used by schools to manage course materials, assignments, grades, exams and communication between instructors and students.
The company says it first detected unauthorized activity on April 29 through a compromised instructor account. After discovering additional suspicious activity days later, the platform was temporarily taken offline while investigators assessed the damage.
According to Instructure, the breach may have exposed personal information including student names, email addresses, student identification numbers and private course-related messages. The company stated there is currently no evidence that passwords, banking information or government-issued identification numbers were compromised.
Cybersecurity analysts warn the incident remains highly concerning because stolen educational data can still be exploited for fraud, phishing and identity theft.
A hacker group known as ShinyHunters has claimed responsibility for the attack, alleging it obtained information connected to approximately 275 million users globally, including students, faculty and administrative staff.
The group reportedly threatened to release the stolen data publicly unless an undisclosed ransom demand is met.
Security experts say student information is particularly valuable to cybercriminals because younger individuals often have limited credit histories, making fraudulent activity harder to detect for years.
“This kind of information can be combined with previous leaks to create complete identity profiles,” cybersecurity analyst Robert Falzon said in interviews following the breach. Experts warn that stolen identities can later be used to secure fraudulent loans, mortgages or other financial products.
The attack has also highlighted growing vulnerabilities in educational technology systems that became essential during and after the COVID-19 pandemic.
Several Canadian universities temporarily suspended or discouraged access to Canvas following the breach. Institutions have advised students and staff to remain alert for phishing emails and suspicious login requests.
The University of Toronto specifically warned users never to share multi-factor authentication codes or bypass security verification requests sent by email.
Cybersecurity professionals say the frequency and scale of attacks like this show that digital security can no longer be treated as an occasional IT issue.
“Cybersecurity is everybody’s problem now,” experts noted, emphasizing that universities, software providers and users all share responsibility in preventing future breaches.
The incident has renewed calls for stronger privacy protections and tougher accountability standards for companies handling sensitive digital information. Some experts are pushing for stricter federal laws and financial penalties similar to those imposed in parts of Europe for major data breaches.
Students and staff impacted by the breach are being encouraged to immediately change passwords, enable multi-factor authentication, monitor financial accounts closely and consider enrolling in credit monitoring services.
The attack is one of the largest known cybersecurity incidents ever to affect the global education sector and underscores the growing risks tied to digital learning systems relied upon by millions worldwide.