Canvas data breach: Wayzata Public Schools sends warning letter to parents

Lawmakers discuss school data breaches

After both the University of Minnesota and the Minneapolis Public School District fell victim to data breaches in the past year, lawmakers will have to consider whether or not further steps should be taken by education institutions to protect sensitive information.

PLYMOUTH, Minn. (FOX 9) - Families in Wayzata are being warned about a data breach involving Canvas, the learning management system used by students in grades 4-12. 

Wayzata Public Schools responds to data breach

What we know:

Officials say on May 1, 2026, Instructure, the parent company of Canvas, notified Wayzata Public Schools that hackers had accessed certain systems within their environment.

According to the district, "This was a vendor-side incident. The internal networks and systems of Wayzata Public Schools were not breached or compromised."

The district said the breach potentially involved student and staff names, email addresses, student ID numbers and internal messages sent within Canvas. Instructure officials confirmed there is no evidence that passwords, dates of birth, government identifiers or financial information were accessed. 

What they're saying:

Officials with Wayzata Public Schools released the following statement:

"The privacy and security of our students' data is our highest priority. The district has activated its Incident Response Team, is staying in close contact with Instructure and has started reviewing its own security protocols. Families are being urged to watch for phishing attempts and monitor school accounts for any unusual activity."

Canvas is widely used for homework, student messaging and grading. Steve Proud, Chief Information Security Officer at Instructure, said, "We are actively investigating this incident with the help of outside forensics experts. We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact."

The backstory:

Hackers claim to have accessed data on 275 million users and more than 9,000 schools, according to information from Instructure and school district communications. 

Instructure says the incident has been contained and that they have revoked privileged credentials, deployed security patches, rotated certain keys and increased monitoring across all platforms. District officials say Instructure has committed to notifying any impacted institutions if new information comes to light. 

What you can do:

Wayzata Public Schools recommend families be cautious of unsolicited emails or messages that appear to come from Canvas, especially those asking for personal information or password resets. Monitoring student accounts for any unusual activity is also advised. The district emphasized that no passwords were stolen, but encouraged families to follow best practices for digital security. 

What we don't know:

It is not yet clear exactly how many Wayzata students or staff may have had their information accessed, or whether any Minnesota-specific data was targeted. The investigation is active and ongoing.