Multiple post-secondary institutions across Canada say they’ve been impacted by a cyberattack targeting an education system used by thousands of schools globally.
Technology company Instructure said it launched an investigation on April 29 after detecting “unauthorized activity” in Canvas, a learning platform for schools that manages student coursework, grades and other education materials.
Information affected by the attack may include names, emails, and messages exchanged on the platform, but there’s no evidence that passwords, financial information, or government identifiers have been compromised, the company said.
Instructure said Canvas went offline temporarily but is now available to use, and an investigation into the breach is ongoing with a third-party forensic firm and law enforcement.
University computer systems attacked across the country
In Ontario, schools including the University of Toronto, Mohawk College, OCAD University, and Western University’s Ivey Business School were among the 9,000 schools worldwide impacted by the incident.
British Columbia schools, including UBC and Simon Fraser University, as well as the University of Alberta, also reported being affected by the incident.
Calgary-based Mount Royal University said in an email that its learning management system was not targeted in the attack.
“Mount Royal does not use Canvas, the learning management system that is believed to be the target of the attack,” reads the email, adding that university officials “continue to monitor the situation closely and will share updates if needed.”
Privacy watchdogs looking for more information
A spokesperson for Canada’s federal privacy commissioner said the office is aware of the matter and has reached out to the company to “obtain more information and determine next steps.”
Ontario’s privacy commissioner’s office said it was notified of the incident on Friday and is looking into the matter.
“Given the potential seriousness of this cyber incident, our office is closely monitoring the situation,” it said in an emailed statement.
Though private sector companies such as Instructure are subject to federal privacy laws, Ontario’s provincial and municipal institutions are still accountable for protecting records and personal information in their custody “regardless of who processes data on their behalf,” the statement said.
The Instructure breach follows the October sentencing of a Massachusetts man who pleaded guilty to cyberextortion of two companies, including the education software firm PowerSchool, in a 2024 cyberattack that affected current and former students, parents, and staff at some school boards in the U.S. and Canada.
PowerSchool later said it paid a ransom to the threat actor and provided credit monitoring and identity protection services to those impacted.
Privacy watchdogs in Ontario and Alberta investigated the PowerSchool breach, concluding in a report last November that more than five million Canadians were affected by the cyberattack and school boards lacked adequate response plans, among other issues.
The provincial privacy commissioners made recommendations in their reports, including that the boards review their agreements with PowerSchool, implement monitoring systems and ensure adequate breach policies are in place.
— With files from Calgary Journal Staff
This report by The Canadian Press was first published May 8, 2026.