News Release: Canvas Data Breach Advisory for Greater Fayetteville Chamber Members

FOR IMMEDIATE RELEASE
Date: May 7, 2026
From: El Chico Tech
Audience: Members of the Greater Fayetteville Chamber of Commerce

El Chico Tech is informing members of the Greater Fayetteville Chamber of Commerce about a significant cybersecurity incident involving Instructure, the company behind the widely used Canvas learning management system. Public reporting and institutional alerts indicate that attackers gained unauthorized access to Instructure systems and accessed user data tied to schools, colleges, and other education organizations that rely on Canvas.

Early reporting indicates the incident may affect a very large number of institutions globally, with some reports citing nearly 9,000 schools, districts, colleges, and universities and millions of users potentially impacted. Instructure has stated that exposed information may include names, email addresses, student identification numbers, and private Canvas messages, while saying there is no current evidence that passwords, Social Security numbers, banking information, or full payment card data were accessed.

Why this matters locally

This incident matters to Chamber members because Fayetteville-area businesses, nonprofits, schools, training providers, and community organizations frequently interact with students, parents, educational institutions, and workforce-development partners. Even when the exposed data does not include financial records, contact details and internal messages can still be used for phishing, impersonation, invoice scams, and social-engineering attacks against staff, students, and families.

Organizations that sponsor internships, provide youth services, conduct workforce training, or maintain partnerships with K-12 and higher-education institutions should be especially alert for suspicious emails or messages that reference Canvas, class notices, assignments, student records, invoices, account resets, or urgent requests tied to school operations.

Steps members can take now

Be cautious with Canvas-related emails and texts. Do not click unexpected links or open attachments claiming to be from Canvas, Instructure, or a school IT department without first verifying the sender through a trusted source.

Reset reused passwords. If any employee, student worker, or family member reused the same password on Canvas and other services, those passwords should be changed immediately, especially for email and financial accounts.

Turn on multi-factor authentication. MFA adds a second layer of defense and helps reduce the risk of account takeover if credentials are exposed or guessed.

Warn staff about social engineering. Attackers may use stolen names, email addresses, or message content to create convincing scams involving invoices, payroll, donations, tuition, or account verification.

Verify payment changes by phone. Any request to change banking details, payment instructions, or vendor information should be confirmed through a known phone number before action is taken.

Monitor official school and vendor updates. Institutions using Canvas are posting their own notices as they assess local impact and coordinate with Instructure.

Review incident response plans. Businesses and nonprofits should confirm who handles suspicious emails, possible account compromise, and communications with customers or partners after a cyber incident.

What Instructure has said

Instructure has reported that it revoked compromised access, applied security updates, increased monitoring, and engaged outside cybersecurity specialists and law enforcement as part of its response. The company has also said the investigation is ongoing and that institutions should continue watching for direct notifications and updated guidance as more facts are confirmed.

Related links and sources

ABC News Australia: Major data breach sees student details compromised

K-12 Dive: Instructure confirms cybersecurity incident

Rutgers IT alert: Nationwide security breach involving Canvas

Inside Higher Ed: “PAY OR LEAK”: Hackers Target Big Higher Ed Vendor

Malwarebytes: Millions of students' personal data stolen in major education cyberattack

GovTech: Instructure Investigating Cyber Attack, Exposure of User Data

TechCrunch: Hackers steal students' data during breach at education tech giant Instructure

Suggested closing statement

El Chico Tech encourages Greater Fayetteville Chamber members to treat this breach as a reminder that third-party platform incidents can quickly create risk for local organizations. Prompt communication, stronger authentication, staff awareness, and verification procedures can help reduce the chance that a vendor breach turns into a local financial loss or secondary compromise. El Chico Tech also shares ongoing cybersecurity awareness content and practical defense guidance for the community. Follow El Chico Tech at www.youtube.com/elchicotech.