Canvas Breach — Incident Response Checklist

Immediate — Complete within 24 hours

Section 1: Immediate Response Actions

0 / 0

1.1 Activate Incident Response

Activate your incident response team

Assign roles: incident commander, communications lead, technical lead. If you don't have a formal IR plan, designate these roles now from available IT and security staff.

Evidence: Named roster with contact info documented

Notify key stakeholders

Inform: superintendent / provost, legal counsel, communications/PR, IT leadership, and department heads whose data is in Canvas.

Evidence: Notification log with timestamps

Enable Canvas audit logging

If not already enabled: Canvas Admin → Settings → Audit Log. Verify logs are being collected and retained. You need this data for forensic analysis.

Evidence: Screenshot of enabled audit logging with timestamp

Export Canvas audit logs (April 30 to present)

Export all audit logs from April 30, 2026 forward. Look for: unusual API access, bulk data downloads, account permission changes, access from unexpected locations.

Canvas Admin → Audit Log → filter by date range
Document the export date and log range

Evidence: Log export file with documented date range

Open urgent support ticket with Canvas / Instructure

Contact Instructure support immediately. Request: forensic analysis of your institution's instance, confirmation of what data was accessed, and their incident response timeline.

Evidence: Support ticket number and correspondence log

Review Canvas's official security notice

Check Canvas status page and security documentation for guidance specific to this incident. Document any vendor-provided remediation steps and whether you have completed them.

Evidence: Documented vendor guidance with completion status

1.2 Credential and Session Management

Force re-authentication for all active Canvas sessions

Canvas Admin → Settings → Sessions → Invalidate all sessions. All users will be required to log back in. Do this before or immediately after resetting admin passwords.

Evidence: Timestamp of session invalidation

CISA ZTMM — Identity Pillar

Reset all Canvas admin and teacher account passwords

Force password reset for all admin and teacher roles. Minimum 16 characters, unique (not reused from other systems). Coordinate with your identity provider (Azure AD, Okta, Google Workspace) if Canvas uses SSO.

Evidence: Password reset log from identity provider

CIS Controls v8 #5 — Account Management

Audit all Canvas admin accounts — remove unused accounts

Review who has admin, sub-account admin, and teacher roles. Remove or disable any account that is no longer actively used. Former staff accounts are a common attack vector.

Evidence: Exported list of active Canvas admin accounts with justification for each

CIS Controls v8 #6 — Access Control Management

Rotate all Canvas API tokens and developer keys

Identify every Canvas API key in use. Canvas Admin → Developer Keys. Rotate all existing keys immediately. Document: which system uses each key, what scope it has, who owns it.

Evidence: Key inventory with rotation timestamps

NIST SP 800-207 §3.3 — Least Privilege

Enable MFA for all Canvas admin accounts

Canvas Admin → Settings → MFA Configuration (if supported in your deployment). If Canvas uses SSO, enforce MFA through your identity provider for all Canvas-entitled accounts.

Evidence: Screenshot showing MFA policy applied to admin role

CISA ZTMM Identity Pillar · CIS Controls v8 #6

48 Hours — Complete before ransom deadline

Section 2: Data Exposure Assessment

0 / 0

2.1 Identify What Data Is at Risk

Document all sensitive data stored in Canvas

Inventory what your institution has in Canvas:

Student names, IDs, dates of birth
Grades and academic records
Student and staff contact information
Course content and materials
Canvas Inbox messages and discussions
Any health, counseling, or financial aid content

Evidence: Data classification document for Canvas

CISA ZTMM Data Pillar · CIS Controls v8 #3

Determine applicable regulatory requirements

Assess which regulations govern your breach notification obligations:

FERPA — applies to all institutions receiving federal funding; governs student education records
HIPAA — if health or counseling data was in Canvas
State privacy laws — most states have breach notification laws with specific timelines (often 30–72 hours)
GDPR — if your institution has EU students or staff

Evidence: Legal review memo documenting applicable regulations and notification deadlines

2.2 Forensic Review of Canvas Activity

Analyze Canvas audit logs for suspicious access (April 30 – present)

Look for these indicators of compromise in your exported logs:

Bulk data exports or mass record downloads
API access from unexpected IP addresses or geolocations
Access outside normal business hours, especially late night / early morning
Admin account permission changes
New developer keys or OAuth applications added
User enumeration queries

Evidence: Documented findings from log review; flag anomalies for legal and IR team

Review SIS-to-Canvas integration data flows

If your Student Information System (PowerSchool, Infinite Campus, Ellucian, Banner, etc.) syncs data to Canvas, determine exactly what fields were in scope. Check whether the sync was one-way or bidirectional — a bidirectional integration means Canvas could have been used as a pivot point.

Evidence: Integration data flow diagram with field-level scope

NIST SP 800-207 Tenet 7 — Monitor all assets

Identify and review all third-party Canvas integrations (LTI tools, APIs)

Canvas Admin → Developer Keys / LTI Integrations. List every integration: Zoom, Turnitin, VoiceThread, Google Classroom, etc. For each: what data can it access? When did it last authenticate? Is it still needed?

Evidence: Integration inventory with access scope and review status

CISA ZTMM Applications & Workloads Pillar

48–72 Hours — Before public notification

Section 3: Notification and Compliance

0 / 0

Notify affected students and staff

Draft clear, plain-language notification: what happened, what was taken, what they should do (change passwords, watch for phishing). Avoid legal jargon. Publish through official channels — school website, official email, and any parent notification system.

Evidence: Notification copy with distribution record

File required regulatory notifications

Based on your regulatory review (Section 2.1): notify the relevant state attorney general, education department, and/or data protection authority within required timelines. Engage legal counsel to draft notifications.

Evidence: Filed notifications with submission confirmations

Notify law enforcement if appropriate

Report to: FBI IC3 (ic3.gov) and/or CISA (cisa.gov/report). For K-12 institutions, contact your state's Department of Education cybersecurity team. Do NOT pay the ransom — report the extortion demand as part of your notification.

Evidence: Report reference numbers

Communicate with parents (K-12)

For K-12 institutions: parents have rights under FERPA. Prepare a parent-facing communication explaining what student data may have been exposed, what the school is doing, and what parents can do to protect their children.

Evidence: Parent communication sent via official channels

30 Days — Hardening and prevention

Section 4: Zero Trust Hardening

0 / 0

4.1 Identity Controls

Enforce MFA for all Canvas users (students, staff, faculty)

Not just admins — all users. Enforce through your identity provider if Canvas uses SSO. This is the single most impactful control to prevent credential-based access after a breach.

Evidence: MFA policy enforced and verified in IdP

CISA ZTMM Identity Pillar · CIS Controls v8 #6

Move Canvas integrations from static API keys to scoped, time-limited credentials

Static API keys that never expire are a critical vulnerability. Work with your identity provider to issue short-lived OAuth tokens for Canvas integrations. Each token should have the minimum scope required — not "read all student data" but "read enrollment data for this course."

Evidence: Integration inventory updated; static keys replaced

NIST SP 800-207 Tenet 3 — Per-session access

Implement privileged access review cycle (quarterly)

Schedule a recurring quarterly review of Canvas admin accounts, API keys, and integration permissions. Stale accounts and overly broad permissions are how attackers maintain persistence after an initial breach.

Evidence: Scheduled review documented in IT calendar

CIS Controls v8 #5 — Account Management

4.2 Data Controls

Classify and inventory data stored in Canvas

Formally document what data your institution has in Canvas and how sensitive each type is. Apply your data classification policy. Remove data from Canvas that doesn't need to be there — especially health records, financial aid documents, or SSNs.

Evidence: Data classification inventory for Canvas with sensitivity ratings

CISA ZTMM Data Pillar · CIS Controls v8 #3

Review SIS sync scope — minimize data in Canvas

Audit what your SIS pushes to Canvas. Canvas needs: enrollment data, course assignments, basic student identifiers. It does not need: health records, counseling notes, detailed financial data, or Social Security numbers. Remove these fields from any sync jobs.

Evidence: SIS sync configuration reviewed and fields minimized

NIST SP 800-207 Tenet 6 — Data minimization

4.3 Visibility and Monitoring

Set up ongoing Canvas API activity monitoring

Establish a baseline of normal Canvas API usage for your institution (normal query volume, access times, account types). Configure alerts for: bulk data requests, access outside normal hours, access from unexpected locations, unusual account permission changes.

Evidence: Monitoring policy documented with alert thresholds

NIST SP 800-207 Tenet 7 · CISA ZTMM Visibility & Analytics

Integrate Canvas audit logs into your SIEM or central log management

Canvas logs should not live only in Canvas. Forward them to your SIEM, Splunk, ELK, or at minimum a centralized log storage system outside of Canvas. This ensures you have logs even if the Canvas platform is compromised or goes offline. (Advanced — requires tooling)

Evidence: Log forwarding configured; retention policy set

CISA ZTMM Visibility & Analytics Pillar

60–90 Days — Improve posture

Section 5: Recovery and Continuous Improvement

0 / 0

Conduct a post-incident review

Hold a structured review within 2 weeks of incident closure: what happened, how it was detected, what the response timeline was, what worked, what failed. Document lessons learned and assign follow-up actions with owners and deadlines.

Evidence: Post-incident report with action items

Update your incident response plan to include SaaS platform breaches

Most IR plans cover internal breaches but not vendor/SaaS incidents where you are a downstream victim. Add procedures specifically for: receiving vendor breach notification, assessing exposure, third-party coordination, and regulatory notification timelines.

Evidence: Updated IR plan with SaaS breach scenarios

Conduct a Zero Trust Maturity Assessment

This breach exposed gaps in Identity, Data, and Applications & Workloads pillars. Use a structured ZT maturity assessment to understand your current posture across all five pillars and build a roadmap for improvement.

Evidence: ZT assessment results with 90-day roadmap

CISA ZTMM v2 · NIST SP 800-207

Run phishing awareness training for staff and students

Attackers now have institutional email addresses and will use them. Run targeted training on: recognizing phishing using Canvas / school branding, reporting suspicious emails, and not clicking unsolicited password reset links. Focus especially on staff accounts, which have elevated Canvas privileges.

Evidence: Training completion records

CIS Controls v8 #14 — Security Awareness

Review all SaaS vendor contracts for security requirements and breach notification SLAs

This incident revealed how long it took Instructure to notify affected institutions. Review your Canvas contract (and all major SaaS contracts) for: breach notification timelines, security audit rights, data deletion requirements, and liability clauses. Update contracts at renewal if these are missing.

Evidence: Contract review findings with renewal action items