On approximately May 7, 2026, Instructure identified a breach of their systems that affected nearly 9,000 educational institutions worldwide. Please note that this was not a breach of USD 331’s internal servers or local network; the incident occurred entirely within the vendor's global environment.
What Information Was Involved?
According to the latest forensic reports from Instructure, the data accessed was primarily limited to directory-level information, including:
Student and staff names
District-assigned email addresses
Internal student identification numbers
Internal Canvas messages (communications sent within the platform)
Importantly, Instructure has confirmed that the following were NOT compromised:
Passwords
Social Security numbers or government identifiers
Dates of birth
Financial or payment information
Our District Protections
We want to reassure you that USD 331 maintains strict security protocols that significantly mitigate the risk of this incident:
Email Restrictions: As a standard safety measure, the majority of students are
restricted from receiving emails from any sender outside of our district domain. This
prevents external parties from contacting students directly via the email addresses
involved in this breach.
Data Recovery: Instructure has reported that they have successfully worked with law
enforcement and security experts to recover the data and have received digital
verification ("shred logs") that the unauthorized copies were destroyed.
Recommended Action
While no direct action is required on your part, we recommend that families remain vigilant regarding phishing attempts. Because internal Canvas messages were part of the breach, attackers could potentially craft very convincing "fake" emails to parents or staff that appear to reference real school activities.
Be cautious of any email asking for passwords, personal information, or immediate
financial payments, even if it looks like it is coming from a school official or a Canvas
notification.
Always log in to district services by navigating directly to the URL rather than clicking
links within an email.
The security of student data is a top priority for us. We are continuing to monitor the situation and are in close contact with Instructure for further updates. If you have any specific questions, please feel free to reach out to the District Office.