Canvas Cybersecurity Incident May 2026

The University of Edinburgh was advised on 1 May 2026 of a global cybersecurity incident affecting the Canvas learning management system used by our short course learners and staff.

Update 26 May 2026

After completing a preliminary data review, Canvas has informed the University that University of Edinburgh data was not involved in this incident. A third party review is underway and Canvas will confirm their determination to the University once their data review is complete.

Update 12 May 2026

  • Canvas have reached an agreement with the cyber criminals and all data has been returned to them. Canvas have received assurance that the data will not be shared elsewhere and have proof that copies of the data were deleted.

  • Payment data for University of Edinburgh is not affected as this is processed separately from the Canvas platform.   

The University understands this news may be unsettling and is actively taking precautions to keep our applications secure.  

What does this mean for our Canvas users?

As a precaution, the University recommends:

  • Being cautious of unexpected emails or messages, especially those asking for personal information or prompting urgent action

  • Not clicking unfamiliar links

  • Do not open unexpected attachments

  • Changing your password - You can generate a password by choosing three or more random unrelated words of four or more letters plus and altering as necessary to fit with the password rules of the service or add extra complexity. See the UK National Cyber Security Centre advice and remember that using longer random unrelated words or more words will make longer and stronger passwords.

If we discover that you are affected by this cybersecurity breach, we will contact you directly.

If you have any concerns, please reach out to our Short Courses Enquiry Management Team: enquiries.shortcourses@ed.ac.uk

All further updates on the incident will be posted on this webpage, please check back regularly for updates.

Update 08 May 2026

The University of Edinburgh has been advised of an ongoing global cybersecurity incident affecting Instructure, the parent company of our learning platform Canvas used by our short course learners and staff. 

Instructure’s investigation is ongoing and early indications are that users at the University of Edinburgh are among those affected.  

  • We currently have no confirmation of the data involved and Canvas continue to investigate this.
  • Payment data for University of Edinburgh is not affected as this is processed separately from the Canvas platform.

The University understands this news may be unsettling and is actively taking precautions to keep our applications secure.

As a precaution, the University recommends:

  • Being cautious of unexpected emails or messages, especially those asking for personal information or prompting urgent action
  • Not clicking unfamiliar links
  • Do not open unexpected attachments
  • Changing your password - To create a strong password, use a mix of at least 8 random characters, including letters, numbers, and symbols. Avoid using full words, names, and common sequences (e.g. 12345). You can use a random password generator to create a strong password. For guidance on how to change your password please see our FAQs.

All further updates on the incident will be posted on this webpage, please check back regularly for updates. 

This article was published on