Grand Rapids Community College was among the institutions affected by a recent cybersecurity incident involving Instructure, the parent company of Canvas. Instructure confirms that usernames, email addresses, course names, enrollment information, and messages were involved in the security incident.
Canvas is the learning management system GRCC began using in the fall of 2025, making the switch from Blackboard. Canvas is used schoolwide for coursework, grades, assignments, and communication between students and instructors. Instructure owns and operates Canvas, meaning the incident involved a third-party vendor used by GRCC. GRCC’s own internal systems were not breached, according to the college’s communications.
Instructure said that course content, submissions, and credentials were not compromised, and GRCC Communications stated in a school-wide email that, “According to Instructure, unauthorized access to certain account-related data occurred. At this time, they have stated there is no indication passwords, dates of birth, government identifiers, or financial information were involved.”
While Canvas remains operational, questions remain about the specific impact the cybersecurity incident has on GRCC. GRCC’s communication shifted over the course of a week as Instructure released more information about the incident:
On May 6, GRCC sent a communication informing the school that it had been notified of a security breach involving Instructure, but had not been informed of any direct impact to GRCC.
On May 8, GRCC said Instructure confirmed that GRCC was among the impacted institutions. GRCC explained that unauthorized access included “certain account-related data,” but there was no indication that passwords, dates of birth, government IDs, or financial information were accessed. The college also connected a Canvas outage on May 7 to the incident. “Please note that yesterday’s Canvas outage was a direct result of Instructure’s cleanup and containment efforts related to this incident,” GRCC Communications wrote.
On May 12, GRCC Communications said Instructure reached an agreement with the perpetrators and said compromised data was returned and destroyed.
“Instructure has informed us that all compromised data was never released publicly, has been returned in connection with its agreement, and copies of the compromised data have been destroyed,” GRCC Communications stated.
The same update said GRCC’s exact data set hadn’t been confirmed. GRCC Communications said, “Although our exact data set was not confirmed by Instructure, they stated there is no indication passwords, dates of birth, government identifiers, or financial information were involved.”
On May 14, Instructure released a broad update on its website, giving more details about the types of information involved in the incident. “The data fields involved include information like usernames, email addresses, course names, enrollment information, and messages. Core learning data (course content, submissions, credentials) was not compromised. We’re still validating all findings, but we want to be clear about what we understand was and wasn’t affected,” Instructure said.
GRCC’s updates have not yet identified how many users were affected, what GRCC-specific data was accessed, or whether private Canvas messages between students and instructors were included in the compromised data.
GRCC among institutions affected by Canvas cybersecurity incident – The Collegiate Live
Leave a Comment
