JACKSONVILLE, Fla. – Duval County Schools has temporarily disabled Canvas after the learning management platform was hit by what is being called the largest educational data breach on record — affecting 275 million people nationwide.
The district moved quickly to address the breach, saying the hack had minimal impact on day-to-day operations. Canvas is used primarily for employee professional development in Duval County schools, not direct student instruction.
“We can confirm the nationwide breach has had minimal impact on district operations as Canvas is primarily used for employee professional development. There is no indication that any sensitive personal information, such as passwords, financial information, or Social Security numbers was compromised. As a precaution, the district has temporarily disabled the platform until this issue is resolved,” a Duval County Schools spokesperson said.
Clay and Nassau counties also affected
News4JAX learned that Clay County and Nassau County schools also use Canvas and were affected by the breach. The hack was carried out by a cyber criminal group calling itself “Shiny Hunters,” which demanded a ransom from Canvas’s parent company, Instructure, threatening to release the personal data of millions of teachers, parents, and administrators if the company didn’t pay.
It is unclear whether Instructure paid the ransom.
Expert: Identity theft risk remains even without Social Security numbers
Ian Marlow, CEO of Fitech — a technology firm that provides IT services, cloud hosting, and software solutions — says hackers likely used a phishing scam to gain access to confidential Canvas files. He says even though Social Security numbers were not part of the breach, users should not let their guard down.
“The good news is there’s limited information, at least kept by the application — as an example, from the reports, it doesn’t include Social Security numbers and certain pieces of sensitive information,” Marlow said.
But he warns the data that was stolen can still be weaponized.
“There is a concern because if information on the dark web where they’re going to sell it is combined with other information that either validates your address, age, birthdate — eventually maybe pairing with a Social Security number — then you get into identity theft,” Marlow said.
Marlow advises Canvas users to watch for suspicious emails and phone calls from scammers looking to piece together more personal information.
What Canvas users should do now
- Be cautious of unsolicited emails or phone calls asking for personal information
- Do not click links in unexpected emails claiming to be from Canvas or your school district
- Monitor financial accounts and credit reports for unusual activity
- Contact your school or university for updates on platform availability
The Canvas breach is the second security incident in roughly eight months for Instructure. The company was also targeted in September of last year. Canvas announced its software is back online, but Duval County Schools says the platform will remain disabled locally until the issue is fully resolved.