Based on currently available information, during the incident on April 29, 2026, certain personal data of users at affected organizations may have been compromised, including names, email addresses, student identification numbers, and messages exchanged between Canvas users. The vendor has stated that, according to current findings, there is no evidence that passwords, dates of birth, official identifiers, or financial data were involved.

On May 7, 2026, an additional unauthorized activity occurred in which pages displayed to some Canvas users were altered. According to the vendor, there is currently no evidence that additional data were exfiltrated or that user login credentials were obtained during this activity. The vendor reported that the point of entry was linked to Free-for-Teacher accounts, which have been temporarily disabled, and that the Canvas platform is now fully accessible again.

The University has requested further clarifications from the vendor, specific to our organization. We are addressing the incident in cooperation with the relevant internal services and will report it to the Information Commissioner. This notice will be updated if necessary once additional verified information becomes available. In the meantime, the latest updates and additional details regarding the incident can also be checked on the processor’s dedicated webpage: Security Incident Update & FAQs | Instructure

Users are advised to exercise particular caution with emails that may reference Canvas, studies, system login, password changes, or account verification. Do not open suspicious links or attachments and do not share passwords, login credentials, or verification codes with anyone.

We will keep you informed of any further required actions.

Thank you for your understanding.