Modena360 Blog

blog image

When Your Data Lives in Someone Else's Cloud: Lessons from the Canvas Breach

In early May 2026, Instructure — the company behind Canvas, the learning platform used by thousands of schools and universities worldwide — disclosed a cyber incident. Within days, the extortion group ShinyHunters claimed responsibility, saying it had stolen roughly 275 million user records and around 3.65 terabytes of data spanning more than 8,800 educational institutions. It is being described as the largest education-sector breach on record.

What happened next is the part every business should pay attention to. After Instructure publicly indicated the incident was resolved, the attackers re-compromised the platform a few days later, redirecting the Canvas pages of major universities to a fresh ransom message with a hard deadline. Instructure reportedly paid a ransom, after which the attackers claimed to have returned and destroyed the data. The disruption hit students and staff in the middle of exam season.

Your business may not run Canvas — but it almost certainly runs payroll, email, file storage, accounting or customer data on someone else's cloud platform. That is exactly the position every Canvas customer was in.

Why This Matters for Your Business

  1. Your data is only as secure as your vendors. When you hand data to a SaaS provider, you outsource the software — but not the consequences. A breach at one supplier can expose every customer at once.
  2. "Resolved" is not the same as secure. The attackers came back after the incident was declared over. Assuming a problem is fixed because a vendor says so is a dangerous default.
  3. Paying a ransom is not a recovery plan. Even when a ransom is paid, there is no guarantee data is truly destroyed or won't resurface. It funds the next attack and leaves you dependent on a criminal's word.
  4. Breaches arrive at the worst possible time. This one landed during exams. For your business, it could be end of financial year, a product launch, or your busiest trading week.

What Every Business Should Do Now

  • Map where your data actually lives. Know which third-party platforms hold your sensitive data, and what each would expose if breached.
  • Vet your vendors' security. Ask suppliers how they protect, encrypt and back up your data, and what their breach-notification process is — before you sign, not after.
  • Keep your own independent backups. Do not rely solely on a vendor to hold the only copy of critical data. Maintain separate, regularly tested backups you control.
  • Enforce MFA and least privilege on every platform. Strong authentication and minimal access limit how much a single compromised account or vendor can expose.
  • Have a tested incident-response plan. Know in advance who does what, how you communicate, and how you keep operating if a key platform goes dark.

How a Managed Service Provider (MSP) Helps

  • Vendor & third-party risk assessment — a clear view of which suppliers hold your data and how well they protect it.
  • Independent backup & disaster recovery — your own tested copies of critical data, so you are never wholly dependent on a vendor.
  • Continuous monitoring & detection — round-the-clock watch for signs that an account or platform has been compromised.
  • Identity & access control — MFA and least-privilege access enforced across your cloud services.
  • Incident response planning — a rehearsed plan so a vendor breach becomes a managed event, not a crisis.

The Canvas breach is a textbook reminder that moving data to the cloud moves the convenience to you and a good deal of the risk to a third party you do not control. The businesses that stay resilient are the ones that treat vendor security as their own responsibility — mapping their data, keeping independent backups, and having a plan for the day a trusted platform is breached.


Do you know what would be exposed if one of your cloud providers was breached?

Modena360 helps Australian businesses assess vendor risk, keep independent backups and stay in control of their data.

Talk to Modena360