What Happened
A cybersecurity breach has hit Canvas, the popular online learning management system used by colleges and universities across Ontario — and potentially student data is at risk. The University of Toronto and OCAD University are among the Ontario institutions confirmed to be impacted, with others believed to be affected as well.
Canvas, developed by Instructure, is one of the most widely adopted learning platforms in post-secondary education across Canada and the United States. It's where students submit assignments, access course materials, communicate with professors, and manage their academic lives — making it a treasure trove of personal and academic data.
Which Schools Are Affected
While U of T and OCAD have been specifically named in connection with the breach, the incident appears to span multiple Ontario universities. Institutions that rely heavily on Canvas for course delivery would potentially be in scope, and students at affected schools are being urged to stay alert.
The breach raises serious concerns given how much sensitive information passes through platforms like Canvas — student IDs, contact details, assignment submissions, and in some cases, financial or accessibility information linked to academic accounts.
What Students Should Do
If you're a student at an Ontario university that uses Canvas, cybersecurity experts recommend taking a few precautionary steps right away:
- Change your password for Canvas and any linked institutional accounts
- Enable two-factor authentication wherever it's available
- Watch for phishing emails — breach incidents are often followed by targeted scam attempts using your real name or school info
- Monitor your email and student accounts for any suspicious activity or unauthorized access notices
- Check your university's official communications — affected schools should be issuing guidance directly to students
A Growing Threat to Education
This incident is the latest in a string of cyberattacks targeting educational institutions, which have become increasingly attractive targets for hackers. Schools hold large volumes of personal data, often have complex IT environments, and — compared to financial institutions — may have fewer dedicated cybersecurity resources.
Ontario universities have been working to modernize their digital infrastructure, but breaches affecting third-party vendors like Canvas highlight how even well-resourced institutions can be exposed through the platforms they rely on.
For students at Carleton University, the University of Ottawa, or other Ottawa-area schools that use Canvas, it's worth checking whether your institution has issued any breach-related notices and following any instructions provided by your IT or registrar's office.
What's Next
Affected schools are expected to notify students and work with Instructure to determine the scope of the breach and what data, if any, was accessed. Canadian privacy law requires organizations to report significant breaches to the Office of the Privacy Commissioner, so regulatory scrutiny is likely to follow.
For now, students across Ontario should treat this as a reminder to practice good digital hygiene — strong, unique passwords and skepticism toward unsolicited emails go a long way.
Source: CBC News
