Canvas breach puts global education cyber risk in focus

ITBrief interviewed NetSPI’s Field CISO, Nabil Hannan, for a May 24, 2026 article about  a major data breach in Instructure’s Canvas learning management system disrupting final exams at universities including Harvard and Northwestern and claiming to have stolen roughly 275 million student and staff records spanning more than 7,000 universities and K-12 districts. Read the preview below or view it online. 

+++ 

Nabil focused on the long-term risks that extend well beyond the immediate disruption. He pointed out that a learning management system holds far more than basic student data. It can contain years of communications, behavioral history, and sensitive personal information like accommodations, all of which become highly valuable in the wrong hands.  

He also highlighted a specific risk with student data: children’s identities often go unused and undetected for far longer than adult identities, making stolen student records a particularly effective tool for phishing, impersonation, and identity fraud campaigns that can play out for years after a breach. His broader takeaway was that cybersecurity in education can no longer be treated as a simple IT problem. It has become a student safety issue. 

You can read the full article here