What the Canvas breach tells us about the state of education security

Education has always been a high-trust environment.

Students share medical concerns with advisers. Teachers communicate sensitive accommodations. Administrators manage systems that touch millions of young lives. That trust is exactly what makes education such an attractive target, and exactly what makes a breach like the one hitting Instructure's Canvas platform this week so consequential.

On May 1, Instructure confirmed that attackers had accessed its cloud environment, exposing names, email addresses, student ID numbers and private messages for potentially hundreds of millions of students, teachers and staff across more than 8,800 institutions worldwide. The criminal group ShinyHunters claimed responsibility and threatened to leak the data unless a ransom is paid. For many institutions, the breach arrived at the worst possible time: finals week.

What we know about the attack

Based on what has been publicly confirmed and reported, the Canvas breach follows a pattern that should sound familiar to anyone watching the education threat landscape closely.

ShinyHunters exploited a vulnerability in Instructure's cloud environment to gain access. The group then used API-based tooling (not endpoint malware) to automate the extraction of large volumes of data. They also accessed Instructure's Salesforce instance, a cloud-based customer management platform, compounding the scope of the exposure.

Notably, this is the second confirmed breach of Instructure by the same group; a social engineering attack against the company's Salesforce environment occurred in September 2025.

The attack vectors align with what security researchers have been warning about for years:

• Compromised credentials
• SaaS platform sprawl
• Excessive trust between integrated systems
• Insufficient enforcement of multi-factor authentication (MFA) on privileged accounts.

Instructure itself, in its post-incident guidance to customers, specifically recommended enforcing MFA on privileged accounts, reviewing admin access and rotating API tokens — guidance that points directly at where the gaps likely were.

To be clear: passwords, dates of birth, Social Security numbers and financial data were not confirmed as part of the exposed dataset. But names, student IDs, email addresses and private messages create powerful raw material for phishing, social engineering and targeted fraud. In education, where trust between students and institutions is foundational, that matters enormously.

How Jamf approaches security in education

Jamf systems and customer data were not affected by the Canvas breach. The education community deserves to understand what protects Jamf, and more importantly, what protects the institutions and students who depend on the devices and systems we help manage.

Jamf protects customer data through a rigorous, continuously operating security program aligned to NIST 800-53 and certified under ISO 27001.

Our controls span:

• Access management
• Vulnerability remediation
• Continuous monitoring
• A documented incident response program

And it's all backed by annual third-party audits, 24/7 security operations and SLA-driven remediation timelines. Security is not a milestone for us; it is an ongoing practice built into everything we do.

Jamf's commitment to education security

Our capabilities address several dimensions directly relevant to the attack that hit Canvas.

High compliance standards

Jamf maintains certifications and compliance postures that align with the strictest requirements in regulated industries, including education. Our infrastructure is built around the principle that student data is sensitive data, period. We don't treat compliance as a checkbox; it shapes how we build, deploy and operate.

Student safety by design

Jamf Safe Internet brings content filtering, threat prevention and network-level protection directly to student devices. Not as a cloud service that sits outside the endpoint, but as an on-device capability that works even when students are off school networks. This matters because attacks increasingly target the browser and application layer, not just the network perimeter.

EdTech standards alignment

Jamf aligns with recognized education technology privacy and interoperability frameworks, including standards from 1EdTech (formerly IMS Global). These frameworks govern how student data is handled, shared and protected across the ecosystem of tools schools use. When third-party SaaS integrations are a primary attack surface, knowing what data flows where (and enforcing limits on it) is foundational.

Why this breach is a signal, not an outlier

It's tempting to treat each breach as a one-off. A vulnerability was exploited. A vendor got hit. It won't happen to us. But the Canvas incident reflects systemic patterns in how education technology is deployed and how trust gets extended — often without governance to match.

Consider the attack surface that made this possible:

A widely used SaaS platform with API integrations touching thousands of institutions, privileged accounts without enforced MFA. Downstream connected services like Salesforce with elevated trust relationships, and legacy credential practices that couldn't contain the blast radius once initial access was gained.

These aren't Canvas-specific problems. They describe the infrastructure reality of most modern educational institutions.

Bad actors increasingly target unmanaged browsers, weak credential practices, legacy portals and third-party SaaS sprawl.

Jamf's strengths align directly against those issues:

• Managed device postures and conditional access integrations
• On-device security and compliance enforcement
• App controls and identity-aware access
• Tighter Apple ecosystem integration

The deeper point is this: education institutions don't just need managed devices anymore — they need managed trust across identity, access, applications and endpoints.

What you can do right now

Whether or not your institution was affected by the Canvas breach, this is a useful moment to assess your own posture. Here are practical steps worth taking immediately.

1. Enforce MFA everywhere, especially on privileged accounts.

Instructure's own post-incident guidance said it directly. Administrative accounts, API integrations and any system with elevated access should require multi-factor authentication without exception. Jamf Connect makes it straightforward to enforce identity-based access at the device level, tying authentication to your identity provider.

2. Audit your third-party integrations.

Every SaaS tool connected to your core platforms represents a potential pivot point.

Review:

• What data each integration can access
• Whether those permissions are still necessary
• When API tokens were last rotated

If you can't answer those questions quickly, that's the first gap to close.

3. Review admin access and remove excess privilege.

The principle of least privilege sounds simple, but it erodes fast in busy IT environments. Who has admin rights to your LMS, your SIS, your identity provider? When were those rights last reviewed? Automated deprovisioning and lifecycle governance (capabilities Jamf supports across the device and identity layer) are not optional in high-trust environments.

4. Check your conditional access policies.

Can a compromised credential from an unmanaged, unrecognized device gain access to your core systems? Jamf's conditional access integrations with identity providers help ensure that only devices meeting your security posture requirements can access sensitive applications, even if a password has been compromised.

5. Communicate with your community.

If your institution was listed among the affected Canvas schools, students, parents and staff deserve clear, timely communication. Phishing attacks that impersonate trusted senders are the most predictable downstream consequence of a breach like this. Proactive guidance on what to watch for is one of the most effective things you can do.

The bigger picture

The Canvas breach is another data point in a pattern that's been building for years: education is a high-value target, education technology infrastructure is often under-governed, and the trust relationships between platforms carry risk that institutions rarely have full visibility into.

Jamf has been building toward a different model; one where identity is foundational, deployments are purposeful and access is earned through verified posture rather than assumed from a password. That's not a pitch in the wake of a crisis. It's the direction the threat environment has been pointing for a long time.

If you'd like to talk through how your institution's current posture maps against these risks, we're here for that conversation.