|
IT Coordinators and Cybersecurity Coordinators,
We are writing to inform you of a recent cybersecurity incident affecting Instructure.com, the provider of the Canvas learning management platform used by many institutions, including TEA’s TEA Learn environment and local school systems.
Instructure disclosed that a criminal threat actor accessed certain systems in late April/early May 2026, resulting in the exposure of some user data. Reported data elements include names, email addresses, student ID numbers, and messages within the platform. At this time, there is no indication that passwords, financial data, or government identifiers were compromised.
The threat actor has publicly claimed a larger dataset and has issued extortion demands; however, the full scope of impacted users remains under investigation.
For additional details, you may reference:
What this means for Canvas users
Recommended actions for all school systems and users
We ask that all school systems take the following actions and share them with affected staff:
1. Review account security
-
If users reused the same password for Canvas and any other system (e.g., email, district network, personal accounts), they should immediately change those passwords on all other systems.
-
Encourage using unique passwords for each system to limit potential impacts from this type of incident.
-
Ensure multi-factor authentication (MFA) is enabled wherever available.
2. Monitor for suspicious activity
-
Review account activity and communications for anomalies.
-
Report any suspicious emails, account behavior, or login issues to your IT/security team.
3. Reinforce phishing awareness
-
Expect an increase in targeted phishing emails referencing Canvas or school systems.
-
Advise users not to click links in unsolicited emails and to access Canvas sites directly via known URLs.
-
Some sites, including TEA Learn, may not be accessible.
4. Validate integrations and access
-
If your district uses integrations or API-based tools with Canvas, confirm they have been re-authorized and are functioning as expected.
-
Remove any unused or unnecessary integrations.
5. Maintain local vigilance
-
This incident primarily involves exposure of contact and communication data, which increases the risk of social engineering and impersonation attempts.
TEA actions
TEA Learn is hosted on the Instructure Canvas platform. While this incident was not specific to TEA, any user account within TEA Learn may have been included in the data exposure if accessed by the threat actor.
-
Working with ESC 11, which is coordinating directly with Instructure and monitoring updates related to this incident related to TEA Learn.
-
Assessing any potential exposure specific to TEA-managed environments.
We will provide additional updates if new information materially changes risk to Texas school systems.
If you have questions or observe suspicious activity related to this incident, please contact the TEA cybersecurity team: cybersecurity@tea.texas.gov.
Thank you for your continued vigilance and partnership in protecting our school communities.
Chief Information Security Officer
Cc: School System Superintendents
|
|
|
The Texas Education Agency will improve outcomes for all public-school students in the state by providing leadership, guidance, and support to school systems.
     
|
|
|
|
