Was this forwarded to you by a friend? Sign up, and get your own copy of the news that matters sent to your inbox every week. Sign up for the On EdTech newsletter. Interested in additional analysis? Upgrade to the On EdTech+ newsletter.

On Saturday, Instructure made a meaningful statement addressing the cybersecurity incident communications failure that I described on Friday. CEO Steve Daly made a direct, simple apology in a named statement on its Incident Update page, and the company updated the FAQ section of that page with better, more direct answers.

But the improvement is still mostly in form, not substance.

The core of the communications issue is that Instructure is using vendor-operations language about an academic-continuity event. Academic leaders from U Illinois, U Chicago, ASU, and many others are announcing canceled or delayed finals—this is and continues to be a big deal. This is not a complaint about tone for tone’s sake; it is about whether the company is describing the same incident its customers are experiencing.

The 2010s Canvas pitch was that Canvas understood the academic mission. The LMS as enterprise infrastructure was in service of that mission, not the point. The 2026 Canvas voice has shifted register.

Three days after the May 7 ShinyHunters hack and the avalanche of complaints from Instructure customers, the company is still relying on carefully worded static updates rather than answering direct questions from higher ed’s trade press. That matters because the unresolved questions are not media-process questions; they are customer-risk questions.

The Associated Press asked about ransom payment and got no answer. Inside Higher Ed noted a more important lack of response.

Customers still have questions and need more than controlled static updates.

I want to build on a key point that I made Friday.

Instructure’s statement to IHE positions this as an inconvenient platform security incident that caused stress.

“Inconvenience and concern” is not the framing that we’re seeing from educators, as noted in today’s Higher Ed Dive article [emphasis added].

Academic continuity is whether an institution can meet its core obligations, and this is the core impact around which any response should be centered.

Instructure's institutional voice is unfortunately the voice of a platform vendor managing an incident, not the voice of an education company recognizing that the incident hit its customers in the middle of finals.

Beyond the academic continuity acknowledgement, there is a related issue around the academic scale of impact. Nowhere have I seen Instructure acknowledge the numbers of education institutions or the massive end-of-term impact.

There were reportedly more than 8,800 education institutions and ministries impacted with hundreds of millions of student records, including private communications between students and faculty. The 2024 PowerSchool hack impacted fewer institutions, but there was more sensitive information involved for tens of millions of users—social security numbers, addresses, medical records. By institutional reach and academic disruption, the 2026 Instructure cyber attack appears to be one of the two most significant education data breaches to date, alongside PowerSchool.

The timing, of course, makes the situation worse as it comes right before or during final exams for so many colleges and universities. We’re not just talking about a day or two loss of system during the middle of a term; we’re talking about universities having to extend their terms to allow for rescheduled final exams, canceled final exams in some cases, and other impacts that affect the institution’s operations and reputation and risk profile.

Instructure should not wallow in this scale, but it should acknowledge how significant this security incident is for so many of its customers. And as we’re seeing, part of the issue is the concentrated risk of so much of education in so few academic platforms.

The other issue that needs to be addressed is the channel of communications. The incident_update page carries a noindex directive, meaning Instructure has published the page publicly while signaling search engines not to include it in search results. I found no comparable evidence that this is a general practice across Instructure’s corporate site; the site’s robots.txt blocks various administrative, search, and file paths, but that is different from applying noindex to a public incident-communications page. Instructure in the past (including the September 2025 ShinyHunters incident through Salesforce) acknowledged and described any incidents in public, searchable blog posts.

Instructure did hit the right tone in CEO Daly’s statement.

The best-faith reading is that Instructure used noindex rather than robots.txt because it wanted the incident page to remain publicly accessible and crawlable while discouraging Google from treating it as a normal, durable search result. That is technically coherent: blocking the page in robots.txt could prevent search engines from seeing the noindex directive, while a page-level tag allows the company to publish a live operational update hub without inviting it to become permanent search collateral. But that same choice also has a longer-term effect: it suppresses ordinary search discoverability not just after the incident is resolved, when the company may reasonably want stale interim language to fade, but also during the incident, when customers, students, parents, reporters, and institutional stakeholders may be searching for the authoritative source. The question, then, is not whether noindex is technically defensible. It is whether a central public incident page should be configured in a way that limits search visibility at precisely the moment when discoverability is part of the trust obligation.

Likely due to all of the media coverage today with links to that page, the Incident Update page is now showing up as one of the top results for basic searches like “Instructure security incident”, whereas it was absent from searches yesterday. But if Instructure keeps that noindex page tag, the search discoverability may go away soon.

Sometimes what isn't stated matters as much as what is.

This hack was an extortion attempt. ShinyHunters set a May 12 deadline: pay or the data goes public on the dark web. According to AP reporting through PBS NewsHour, citing Emsisoft threat analyst Luke Connolly, Instructure and Canvas were removed from ShinyHunters’ dedicated leak site by Friday. That removal is not, by itself, confirmation of payment; researchers describe it as consistent with negotiation underway or a settlement reached. AP asked Instructure directly whether the company paid and received no answer.

That silence is its own data point—not proof that a ransom was paid, but evidence that customers are not being given a clear account of the most consequential part of the incident response. If Instructure paid, the company may have made a defensible emergency judgment that payment could reduce the immediate risk of public data release. But that is not the same thing as protecting the data. The attackers already had it, and payment offers no reliable guarantee that copies were deleted, contained, or will not be monetized later. It also runs against the standard advice from law enforcement and cybersecurity agencies, which warn that paying ransoms encourages future attacks and provides no assurance that data will be recovered or contained.

The point is not to second-guess an impossible call from the outside. The point is that affected institutions deserve more than silence about how the resolution is being managed. The form is improving. The substance is still being managed rather than shared.

Trust is earned through actions, in CEO Daly's own framing. The action of signing the apology was real, and worth crediting. So was the disclosure about the Free-For-Teacher root cause and the engagement of CrowdStrike.

But the actions still missing are also real. The scale of the breach has not been publicly acknowledged. The academic continuity framing is being articulated by everyone except the company at the center of it. Higher ed's trade press is being deflected to a static page. Direct questions about the most material aspect of the resolution are going unanswered. The page hosting the company's "consistent communication" commitment is configured not to be findable through search — a configuration Instructure has not changed, even as media backlinks appear to have temporarily made the page visible in search results.

Canvas built its market position in the 2010s on a posture of openness, customer alignment, and trust. That posture is not yet visible in Instructure’s response to this incident. One step forward. One step back. The next step is theirs.

The main On EdTech newsletter is free to share in part or in whole. All we ask is attribution.

Thanks for being a subscriber.