Notice Regarding a Recent Canvas LMS Security Incident

We are writing to inform you of a recent cybersecurity incident involving Canvas, an online learning platform previously used by Comox Valley Schools. Although Comox Valley Schools no longer uses Canvas, the system was in use between 2018 and 2024, and some historical account data remains within the platform.

We became aware of this incident on May 5, 2026, and have initiated the reporting process with the Office of the Information and Privacy Commissioner for British Columbia.

What Happened

Instructure, the parent company of Canvas, has notified us that Comox Valley Schools may be among the organizations affected by a recent security breach. This notice is based on information provided by Instructure and our own internal review. We will continue to share updates as more details become available.

What Information Was Involved

Based on the information currently available, the impacted data was limited to:

  • Student and staff names
  • School-issued email addresses
  • Names and email addresses of parents/guardians who signed up for Canvas observer accounts

What Information Was Not Involved

 There is no evidence that the following data was accessed or impacted:

  • Student or staff assignments, documents, or coursework
  • Grades or assessment information
  • Teacher feedback or comments

Highly Sensitive Information Was Not Stored in Canvas

Comox Valley Schools did not store the following types of information in Canvas:

  • Home addresses or phone numbers
  • Dates of birth
  • Financial or tuition information
  • Government identification numbers (such as PENs)

Account Security

Because Comox Valley Schools used Microsoft Entra for authentication:

  • Passwords were not stored in Canvas
  • Student and staff login credentials remain secure

System Safety and Remediation

Instructure has confirmed that:

  • The vulnerability that led to this incident has been patched
  • There is no ongoing threat to the Canvas platform
  • Instructure is continuing its investigation and is working with the FBI and third-party cybersecurity experts.

Actions Being Taken by Comox Valley Schools

Our IT and leadership teams are taking the following steps:

  • Requesting an institution-specific impact report from Instructure to identify exactly which accounts were affected
  • Auditing existing Canvas accounts to ensure access remains restricted
  • Monitoring updates from Instructure as their investigation continues

What You Can Do

No action is required at this time. However, we encourage continued vigilance against phishing or scam attempts.

Please be cautious of emails or messages that include:

  • Requests for passwords or login information
  • Urgent prompts to click links or download attachments
  • Requests for gift cards or financial assistance

Scammers may reference real names or former classes to appear legitimate.

Our Commitment to Transparency

While the overall risk to our community appears low, we believe it is important to keep you fully informed. If Instructure provides individual-specific information or additional supports, we will communicate those details promptly.

We understand that incidents like this can be concerning. Please know that Comox Valley Schools remains committed to protecting the privacy and security of our community.

If you have any questions, please contact our technology team at privacy@sd71.bc.ca

Sincerely,

Craig Sorochan

Communications Manager

Comox Valley Schools