Canvas cyber security incident

We have been made aware of a global cybersecurity incident affecting Canvas, the learning management system used by our colleagues and students.

The incident relates to data held by Canvas’s provider, Instructure, and involved unauthorised access by a malicious actor. Instructure has advised that the incident affected a large number of organisations worldwide.

We are currently working with Instructure to understand the full details and any potential impact. Based on the information provided to us so far, the data may include names, email addresses, student ID numbers, and Canvas Inbox and Discussion messages.

At this stage, they have advised that the incident is not believed to include sensitive personal data such as dates of birth, financial information or passwords. We have also been advised that, at this stage, no data has been released publicly.

No other organisation systems are affected.

Instructure has confirmed that the incident has been contained and Canvas is operating under enhanced security monitoring. Colleagues and students should continue to use Canvas as normal.

We have reported the incident to the Information Commissioner’s Office (ICO) in the UK and the Data Protection Commission (DPC) in Ireland, and we continue to liaise with Instructure and relevant parties to understand the full details and scope.

We understand this situation may be concerning and want to reassure our staff, students and partners that we are taking steps to ensure our services remain secure.