Several Ontario postsecondary institutions are dealing with the fallout from a major cybersecurity incident involving Canvas, the widely used learning management platform. According to CBC News, the breach has affected schools including the University of Toronto, OCAD University, Western University’s Ivey Business School, Mohawk College, and Ontario Tech University. The incident is part of a wider disruption affecting thousands of educational institutions around the world.
Canvas is operated by Instructure, a United States based company that provides learning software used by schools to share course materials, lecture videos, assignments, messages, and grades. The company first disclosed that a criminal threat actor had accessed its systems earlier in May. It later said some user information may have been affected, including names, email addresses, student numbers, and messages. However, Instructure said there was no evidence that passwords, government identification, or financial information had been taken.
The University of Toronto temporarily shut down access to Quercus, its Canvas powered learning platform, as a precaution. The university advised students not to access the system while it worked with Instructure to resolve the issue. U of T also said other university systems were not compromised. OCAD University also reported a Canvas service disruption, later saying access had been restored while warning students to remain alert for possible phishing messages.
Cybersecurity experts have raised concerns about the scale of the incident. CBC News reported that David Shipley, CEO of Beauceron Security, described the breach as one of the most serious educational technology attacks he has seen. He said hackers appeared to return after the initial incident to extract more data, deface login pages, and send payment demands to schools and students.
The hacking group ShinyHunters has reportedly claimed responsibility for the Canvas attack, according to a threat analyst cited by the Associated Press and reported by CBC News. The group has been linked to major data extortion campaigns in the past. Reports also suggest the attackers claimed to have accessed information connected to more than 275 million people across 9,000 schools, although the full scope of the breach has not yet been independently confirmed.
The breach has affected institutions beyond Ontario as well. The University of British Columbia, Simon Fraser University, and the University of Alberta were also identified among Canadian schools impacted by the incident. Simon Fraser University said around 9,000 learning institutions globally were affected by the systems breach.
For students and staff, the biggest immediate risk may be phishing attempts. Schools have urged users to avoid clicking suspicious links, sharing passwords, or responding to unexpected messages asking for personal information. Anyone who receives unusual communications connected to Canvas or their university account should report them to their school’s information technology or service desk team.
The incident highlights the growing cybersecurity risks facing education systems as universities and colleges rely more heavily on digital learning platforms. For more coverage on Canadian education, technology, and public safety issues, visit Weekly Voice and the latest Canada news updates.
