crisis management case study

Crisis Communications Lessons from the Canvas Data Breach

Michelle Sinning crisis management, cyber security, cybersecurity, data breach

The Clock Was Already Running

 

by:  Michelle Sinning, APR

On May 7, 2026, students across the country — from elementary schoolers to college seniors — tried to log into Canvas and were greeted with a ransom note. Black screen, red border, a message from an extortion group called ShinyHunters announcing they had breached Instructure, the company behind Canvas, and stolen data on 275 million students, faculty, and staff across nearly 9,000 institutions worldwide. Private messages. Student ID numbers. Email addresses. All of it. For college students, it was finals week. For K-12 students, it was the final stretch of the school year.

For most people, that was the moment the crisis began — and the beginning of a crisis management and data breach case study for the ages.

It wasn’t. The breach had been confirmed six days earlier — on May 1. Instructure had known. They had posted about it, technically, to a status page that systems administrators monitor and almost no one else visits. There had been no email to affected families. No statement on the company’s main website. No social media post. No direct outreach to the students, parents, faculty, and administrators whose data had been compromised.

By the time the ransom note made it impossible to ignore, the crisis was already a week old — and Instructure had spent that week visible only to the IT professionals who knew where to look.

Hiding in Plain Sight

For the first nine days of this crisis, Instructure’s primary communication channel was its technical status page — a subdomain designed for systems administrators and IT operations teams to monitor infrastructure health. It is not where students go. It is not where parents go. It is not where faculty go. It is not where university presidents fielding calls from trustees go. It is not where journalists go first.

Systems administrators know what a status page is. Most of the 275 million people whose data was compromised do not — and had no reason to.

Posting breach disclosures exclusively to a technical status page isn’t transparency. It’s the crisis communications equivalent of burying the disclosure in the fine print. The information exists, technically. It just isn’t where anyone would think to look.

Was Instructure legally required to post publicly on its main website? Not necessarily. FERPA obligations ran to the institutions, not the general public. But legal obligation and reputational obligation are different things. When an organization serves 275 million people — including children — there is a credibility argument for proactive public transparency that exists entirely apart from what the law requires. Organizations that voluntarily communicate in a crisis are consistently perceived as more trustworthy than those that disclose only what they must. Silence, even legal silence, reads as concealment. And in an era when a ransom note can reach every user simultaneously, the cost of that perception is immediate and measurable.

The Message That Made Everything Worse in a Crisis Management and Data Breach Response

Forty minutes after the ShinyHunters ransom note appeared on Canvas login pages across the world, Instructure replaced it with a page that read: “Canvas is currently undergoing scheduled maintenance.”

There was no scheduled maintenance. The platform had just been re-compromised by the same group that had breached it the week before — in part because Instructure had attempted to patch its way out of the problem rather than engage with the attackers, who made that decision very public.

In crisis communications, there is a meaningful distinction between saying too little and saying something false. Instructure crossed that line on May 7. The original breach was a cybersecurity failure. The “scheduled maintenance” message was a trust failure — and trust failures are substantially harder to recover from.

What Did Instructure Tell the Schools?

This is a question worth asking carefully — because we don’t have the full answer.

We do know that school districts across the country sent family notifications that used nearly identical language about what data was involved and what wasn’t. That consistency suggests Instructure provided institutions with some form of briefing or talking points — which, if true, is the right instinct. Getting consistent, accurate information to 9,000 institutions quickly is exactly what a vendor in this situation should do.

But talking points about what was taken are not a complete communications strategy. The language that reached families told them what data may have been compromised. It said little about what Instructure was doing to fix it, why it happened, or what families should specifically do to protect themselves. Districts with strong communications teams added that context themselves. Districts with fewer resources passed along the bare minimum and stopped there. And some schools, by all accounts, sent nothing.

The result was a patchwork. Whether a family received timely, useful, actionable guidance depended largely on which school their child attended. That’s the gap a proper crisis communications partner toolkit is designed to close — not just the facts, but the full package: template family notifications, FAQs for frontline staff, recommended action steps, suggested timing. Pre-written, pre-approved, ready to customize and deploy.

 

The Case for a Crisis Playbook

We don’t know whether Instructure had a dark site ready and chose not to use it, or simply didn’t have one. What we do know is that a public-facing crisis page on the company’s main website — visible to anyone looking for information — did not appear until more than a week after the breach was confirmed. (Instructure’s incident update page is being actively updated as the situation develops.)

This is why, at Bernstein Crisis Management, our crisis management and data breach counsel begins with the same three recommendations for any organization with significant public exposure: a crisis communications playbook, scenario-specific draft messaging, and a dark site.

A dark site is a pre-built, legally reviewed, stakeholder-facing web page that lives in draft form until it’s needed — ready to activate within hours of a triggering event. Plain language. Clear facts. What is known, what isn’t yet known, who to contact, when the next update will arrive. On the organization’s primary domain, visible to everyone who needs it.

The playbook and the draft messaging are what allow the dark site to go live on day one, when the information vacuum is most dangerous and other voices are most eager to fill it. None of this requires sophisticated technology. It requires scenario planning, organizational discipline, and the decision — made in advance, not in the middle of a crisis — to treat communication as part of incident response rather than something that follows after it.

One Breach Too Many

One question the FAQ addresses but doesn’t fully answer: what specifically is being done differently to prevent a third incident?

This was not Instructure’s first encounter with ShinyHunters. The same group breached Instructure’s systems through a social engineering attack in September 2025. Instructure addressed this directly in the FAQ, noting that the two incidents involved different systems and circumstances — a fair distinction. But third-party security analysis suggests the September incident was nonetheless a proof of concept, ShinyHunters mapping Instructure’s environment for a larger campaign. The May 2026 breach was that campaign. The declaration on May 2 that the situation was “contained” was contradicted five days later when ShinyHunters walked back in through the same door.

The CEO letter acknowledged the pattern and deserves credit for not dodging it. But acknowledgment and accountability are different things. Rebuilding trust after a crisis management and cybersecurity failure of this scale requires demonstrated structural changes, third-party validation, and sustained transparent communication over months — not a single letter, however well-written.

Crisis Management and Data Breach: What Instructure Got Right — Eventually

Fairness requires saying this: the May 9 CEO letter and accompanying FAQ modeled several things crisis communications professionals specifically recommend.

CEO Steve Daly led with accountability, not process. He acknowledged that the company “focused on fact-finding and went quiet” when stakeholders needed updates. He signed it himself — not the communications team, not a generic company footer. The FAQ committed to specific, measurable actions: a 48-hour update cadence, engagement of CrowdStrike for forensic analysis, and a clear answer to the hardest question — two breaches in eight months, and why anyone should trust them again. Notably, the FAQ also committed that Instructure would support affected institutions with their legal notification obligations, a meaningful and underreported statement.

Where the FAQ falls short is equally instructive. There is no timeline offered for when the data was accessed — a basic question families and institutions were asking. The response to the international and GDPR scope question is essentially a placeholder. And notification to affected institutions didn’t begin until May 5, four days after the breach was confirmed.

The FAQ also earns credit for answering the hardest question directly: ‘This is the second data breach in less than a year. Why should we trust you?’ Most organizations in crisis deflect or over-promise. Instructure’s answer acknowledged the concern without false reassurance — and committed to earning trust through action rather than assertion. That’s the right posture.

The right elements are present. The execution is uneven. And all of it needed to exist on day two, not day nine.

The Story Isn’t Over

Some of this picture has already come into sharper focus. Late on May 11 — ten days after the breach was confirmed — Instructure announced it had reached an agreement with ShinyHunters for an undisclosed amount. The company stated the data was returned and that it received digital confirmation of destruction via shred logs. The agreement covers all impacted customers, and individual institutions have no need to engage with ShinyHunters directly. Instructure also announced a webinar with company leadership on May 13, to be held across multiple time zones, to detail the attack and remediation steps. This is a meaningful commitment to transparency.

Whether paying a ransom was the right decision is a separate debate, and one with no clean answer. What it confirms is the severity of what was at stake — and the cost of the silence that preceded it. Instructure acknowledged as much in the update, noting that, “there is never complete certainty when dealing with cyber criminals” — a notably candid admission.

The Narrative Belongs to Those Who Claim It

Other questions remain open. The full scope of what was exfiltrated has not been independently verified. Institutions are still waiting for the customer-specific scope letters Instructure promised. Multiple law firms are actively investigating class action claims. The Wikipedia entry on the 2026 Canvas security incident is being actively updated as developments continue to emerge.

More details will surface in the coming weeks. Some may change the picture. Some may not.

But here is what the record already shows: when Instructure went quiet, other voices filled the silence. Security researchers published timelines. Law firms issued client alerts. University IT teams sent their own advisories. Reddit threads became, for many students, the primary source of information about what had happened to their data. And ShinyHunters communicated more directly with Canvas’s end users — via a ransom note on the login page — than Instructure did at any point in the first week.

That is what happens when an organization in crisis doesn’t move to control its own narrative.

We say this not to pile on. Crisis managers understand better than most that the first hours of a breach are genuinely chaotic, that legal considerations are real, and that organizations often cannot say everything they know as quickly as the public wants. We work with clients every day who face exactly these pressures.

But the tools to handle this better — a dark site, a stakeholder notification protocol, a pre-designated spokesperson, a communication cadence — were likely available and established, but not activated when it mattered. When companies aren’t forthcoming, the public fills the gaps. And once that happens, even the best crisis management and data breach response can’t give you back the narrative you chose not to claim.

Bernstein Crisis Management helps organizations build the crisis communications infrastructure they hope they’ll never need — before they need it. If your organization doesn’t have a tested crisis plan, a dark site, or a data breach response protocol in place, contact us to discuss where your vulnerabilities are.