Data breach in Canvas – what has happened

Previous information

Update 18 May, 09:30: The restoration of the integration between Canvas and Zoom is complete.

Please note: When you click Zoom in Canvas for the first time after the restoration, you will be prompted to accept a Zoom LTI calendar. This is expected. Click Accept – you only need to do this once. This is because the integrations have been reset, and each user must create a new connection by accepting.

Update 13 May, 10:20: The restoration of integrations in Canvas has begun. Inspera Originality (IO) and Miunplay/Kaltura are now enabled.

Please note: When you click Miunplay in Canvas for the first time after the restoration, you will be prompted to accept a Kaltura Scoped Key. This is expected. Click Accept – you only need to do this once. This is because the integrations have been reset, and each user must create a new connection by accepting the Scoped Key.

The remaining integrations will be re-enabled gradually. The next integration to be restored is the one with Zoom.

Work to re-enable the integration with Ladok is ongoing, with the aim of having it operational by 18 May.

Update 12 May at 10:10: The vendor Instructure, which provides the learning platform Canvas, has reached an agreement with the unauthorised actor in order to manage the incident and recover the data.

According to Instructure, all customers are covered by this agreement. The data will not be shared further, and individual customers do not need to contact the actor themselves.

We are now entering a new phase in which we, together with the respective system vendors, are assessing when it will be possible to reactivate our integrations in Canvas. The expectation is that all systems will be up and running as normal next week.

At the same time, we continue to review how the incident was handled and what measures were taken.

As always, we would like to remind you of the importance of being cautious before opening emails, clicking on links, or downloading files from unknown senders. Pay particular attention to messages that seem unusual, create a sense of urgency, or contain suspicious attachments or links.

If you receive an email or message that you do not recognise or suspect may be fraudulent, always contact itsupport@miun.se before clicking on or opening anything. It is always better to ask once too often than once too little.

Update 11 May at 12:17: Questions and answers are now available, divided between teaching staff and students. There you can read what currently applies. Be alert to contact attempts and do not disclose your login credentials!

Update 8 May, 6:30 PM Due to attacks on Canvas, integrations between Canvas and other systems have been temporarily disabled as a security measure.

Canvas remains open, but with some limited functionality. If any member of staff or student at Mid Sweden University is contacted directly by the threat actor, or via a third party, the Police advise that we do not respond.

In such cases, please contact itsupport@miun.se.

Update May 8 at 09:40: Due to new attacks targeting Canvas, integrations between Canvas and other systems have been temporarily disabled as a security measure. This includes integrations within Canvas.

The shutdown means that integrations between Canvas and other systems are currently unavailable, including connections to, for example, Ladok, Kaltura/MiunPlay, Inspera Originality (IO), and Zoom.

This means that:

• Videos stored in Kaltura/MiunPlay cannot be displayed or embedded.
• Zoom meetings cannot be created or managed within Canvas (however, Zoom can still be used independently).
• Results cannot be automatically synchronized from Canvas to Ladok.
• Changes made in Ladok, such as registrations or the creation of courses or course responsibility assignments, do not take effect immediately in Canvas. These changes are instead placed in a queue and will be processed once the integration can be re-enabled.

Canvas remains operational, but with limited functionality while the integrations are disabled.

The new attack has not resulted in any Ladok data being hacked or compromised.

Work is ongoing to manage the situation and restore functionality in a secure manner. Updated information will be published continuously.

Information from May 7, 16:00

In late April, Canvas was affected by a cyber attack targeting the service provider. Personal data has been exposed, and we are one of the affected higher education institutions. The incident is still under investigation, and the University has implemented several measures to strengthen security.

What happened?

On 25 April 2026, Instructure was subjected to a cyber attack in which an external actor exploited a vulnerability in a system provided by the vendor. The attack was detected on 29 April, at which point the identified access was immediately revoked. Instructure publicly disclosed the incident on 2 May.

Has Mid Sweden University been affected?

As a result of the breach, a large international hacker group gained access to personal data such as names, email addresses and content from private messages. It has been confirmed that Mid Sweden University was among the affected institutions.

Mid Sweden University has submitted a notification to the Swedish Authority for Privacy Protection (IMY).

In addition to updating information provided to staff and students, we have also implemented measures to enhance security for system administrators.

The data breach is still being investigated by the vendor in collaboration with several parties, including Sunet. Mid Sweden University is also participating in a small coordinating group with representatives from several higher education institutions that continues to monitor developments related to the incident.

Canvas is a central part of the University’s educational operations, and the system remains in service. At present, there are no recommendations for specific actions for users, other than exercising caution regarding the information shared in private messages within the platform, being vigilant about suspicious emails or other contact attempts, and not sharing login credentials.

Mid Sweden University takes this incident very seriously and will update the information as soon as new and confirmed details become available.