Thousands of universities and colleges around the world — including institutions in the UK — are dealing with the fallout from a major cyberattack affecting the popular learning platform Canvas.
The educational data breach has raised serious concerns about student privacy after hackers claimed they stole huge volumes of data, including messages sent between students and staff.
What makes this incident particularly unusual is that the company behind Canvas, Instructure, has publicly confirmed it reached an agreement with the hackers in an attempt to stop the stolen data being published online.
What is Canvas?
Canvas is one of the world’s most widely used online learning platforms. Universities use it to manage course materials, assignments, lecture recordings, assessments, student messaging, and communication between staff and students.
The platform is used across the UK higher education sector, alongside universities in the US, Canada, Australia, and Europe.
What happened in the Canvas cyberattack?
According to Instructure, the breach was discovered around 29 April 2026 after hackers gained access to parts of its systems and stole customer data.
The attack was claimed by the cyber extortion group ShinyHunters, a hacking collective previously linked to major breaches affecting global companies.
The group claimed it stole data linked to nearly 9,000 educational institutions and up to 275 million individuals worldwide.
Hackers also alleged they accessed:
- Student and staff names
- Email addresses
- Student ID numbers
- Internal communications and messages
- Potentially billions of private conversations stored within Canvas.
Some reports have suggested that major universities including the University of Sussex, Queen’s University Belfast (QUB), the University of Oxford and the University of Cambridge may be among the affected institutions, although the full scale of UK exposure is still unclear.
Why is the breach attracting so much attention?
Most ransomware and extortion attacks happen quietly behind the scenes. This one became highly visible because students were actively using the platform during exams and coursework submissions.
In the US, some students reportedly saw ransom messages appear directly on their screens during online assessments.
The hackers threatened to release the stolen data publicly unless a ransom demand was met.
Instructure has now confirmed it reached an agreement with the attackers, stating that:
- The stolen data was returned
- The hackers provided “digital confirmation” of deletion
- Customers would not be individually extorted
- The agreement applied across affected institutions.
Instructure has not confirmed the full terms of the ransom payment.
Paying hackers is generally considered a bad idea, as it can incentivise further attacks.
What does this mean for UK universities and students?
Several UK universities have already confirmed they are investigating the impact.
The University of Sussex told students that some personal data, including email addresses and messages sent between staff and students, may have been accessed during the attack. The university also warned students to remain alert for phishing scams and suspicious communications. Oxford’s student newspaper has also reported that Oxford temporarily disabled Canvas after being notified by Instructure of unauthorised access.
National higher education bodies are reportedly coordinating parts of the UK response.
Will this lead to a data breach compensation claim?
Under UK data protection law, organisations handling personal data must take appropriate security measures to protect it. Where personal information is exposed because of inadequate cyber security, affected individuals may have rights under the UK GDPR and Data Protection Act 2018.
That does not automatically mean a compensation claim will follow in this case. Much will depend on:
- What data was accessed
- Whether UK students were affected
- The security measures in place beforehand
- The consequences for individuals
- Whether regulators identify failings.
What should UK students do now?
Even if you have not received a notification from your university yet, it is sensible to remain cautious. Students should consider:
- Being extra careful with emails claiming to come from universities or student services
- Avoiding unexpected links or attachments
- Watching for fake password reset emails
- Checking whether personal rather than university email addresses are linked to learning accounts
- Using strong, unique passwords across university services.
If further information emerges about the scale of UK exposure, universities may contact affected students directly.
We are monitoring developments and will provide updates on this breach as needed.
Join the Claim connects consumers with SRA-regulated lawyers. Keep an eye out for updates on any potential claim and possible eligibility checks/registration opportunities.
