Comox Valley Schools is notifying families that their historical account information was part of a recent cybersecurity incident involving the Canvas learning management system. Although the district no longer uses the platform, the breach includes data from accounts active between 2018 and 2024.
What Happened
Instructure, the parent company of Canvas, notified the district of the breach on May 5, 2026. The exposed data is limited to student and staff names, school-issued email addresses, and the names and emails of parents who created Canvas observer accounts. District officials confirmed that grades, coursework, home addresses, dates of birth, and government IDs were not in the system. Student and staff passwords remained secure because the district used Microsoft Entra for single sign-on (SSO). Because SSO centralizes authentication, third-party applications like Canvas do not require or store local passwords. The district IT team is auditing existing Canvas accounts to ensure access is restricted and has requested an impact report from Instructure.
The Bigger Picture
This notification is part of an industry-wide supply-chain vulnerability. As we previously reported, Instructure confirmed a data breach in early May following maintenance on its systems. A threat actor group, ShinyHunters, claims to have stolen 280 million records from 8,809 educational institutions, potentially affecting 275 million users. The hackers allegedly bypassed security by exploiting data export features and user APIs. Instructure has hired outside forensics experts and is working with the FBI. The company has not verified the scale of the data loss claimed by the hackers. This follows other tactics, as we covered recently, where hackers defaced school Canvas login pages with extortion threats.
What This Means for Families
This incident demonstrates that historical data often remains on vendor servers even after a school district stops using the technology. While the use of centralized authentication prevented password exposure, the leak of names and email addresses creates a risk of targeted phishing attacks. Educational data breaches are a growing threat, rising 38 percent between 2020 and 2022. The exposure of student records can lead to scams or potential discrimination or misuse of learning data. Parents cannot always rely on school systems to maintain adequate safeguards. A recent audit of New York City Public Schools found that the district lacked written policies for data classification and delayed breach notifications to families in 11 percent of cases.
What You Can Do
- Monitor your inbox for targeted phishing. Scammers may reference real names or former classes to appear legitimate.
- Ignore messages with urgent prompts to click links, download unexpected attachments, or requests for financial assistance.
- Demand transparency from your local school board regarding their data retention policies. Ask how long legacy data is stored after the district stops using an application.