Canvas data security incident

Last updated: Monday 11 May 2026, 1pm. 
This page will be updated as more information becomes available. 

Canvas access restored following temporary suspension 

The University has restored access to Canvas following a temporary suspension of service on Friday 8 May taken as a precautionary measure. 

In line with many universities, Oxford took the decision to suspend access following notification from Instructure, the third-party supplier of Canvas of two instances of unauthorised access to Canvas.  

There is no indication that University systems have been compromised. The incidents impacting Canvas are understood to have impacted many Instructure customers worldwide and are not specific to Oxford. 

Security incidents

On Wednesday 6 May 2026, the University was informed that unauthorised access to Canvas affecting universities worldwide involved Oxford user data. There is no evidence that this data has been shared publicly. The University notified the Information Commissioner’s Office on 7 May, in line with its obligations.

Following a second incident on Thursday 7 May, involving defacement of Canvas login screens, the University took the decision to temporarily restrict access to Canvas as a precaution at midday on Friday 8 May.  

Access was restored at approximately 12 noon on Monday 11 May, following further investigation and monitoring, and additional security assurances from Instructure.  

What is and is not affected

The University uses secure, Single Sign-On (SSO) authentication for Canvas for staff and students, and there is no evidence that University accounts have been compromised. Based on the most recent information provided by Instructure, the data understood to have been affected by the first incident is limited to usernames, email addresses used in Canvas, messages exchanged between users on the platform, course names and course enrolment information. There is no evidence at this stage that academic records, exam results, financial details or other categories of personal data have been accessed, though the University is continuing to seek further detail from Instructure.

Exposure of names, email addresses and messages held within Canvas may, however, increase the risk of phishing attempts. 

Important guidance

To help protect people, systems and data in light of this incident, staff and students are required to:

• Only access Canvas through the University's official link, the MyOxford app or the Canvas app.
• Avoid clicking links or downloading attachments from unknown senders in unexpected emails, texts or messages, which may include requests to reset a Canvas password, re-authorise Canvas, download course files or verify an account. 

Additional advice shared with staff includes: 

• Do not extract bulk user, course, grade or message data from Canvas unless it is operationally essential to do so.
• Avoid sharing any highly sensitive personal, welfare, disciplinary, medical or confidential research information in messages or free-text fields within Canvas. 
   

Phishing advice

Due to the ongoing, heightened risk of phishing as result of the first incident, all staff, students and external users of Canvas should continue to:

• Stay alert to any suspicious emails or messages which may appear to come from trusted organisations including the University, Instructure or Canvas, or which may attempt to threaten or coerce.
• Verify requests for personal or financial information independently.
• Report any suspicious or concerning emails or messages to the Information Security team at [email protected] and follow the published guidance on reporting an incident.
• Ensure that software is up to date and anti-virus is installed on all work devices (including mobile devices).

The University will never ask for a password by email or message.  

Staff and students may find the following resources useful: accessing free software (including anti-virus), protecting your computer and keeping mobile devices secure. The University’s online training course offers further information and advice about information security and data protection at Oxford. 

Support for students

We recognise that this disruption may have temporarily affected students’ access to teaching and course materials, particularly during the examination period.  

This situation may be worrying for some students, and there may be specific questions or concerns – including over messages held within Canvas – that students would find it helpful to discuss. Students are encouraged to contact Student Welfare and Support Services. Further information is available on the MyOxford app and at https://www.ox.ac.uk/students/welfare. 

Students who feel their studies or assessments have been affected should follow their college or department’s existing mitigating circumstances processes in the usual way. 

Please note

• These incidents relate to a third-party supplier system; there is no evidence of a compromise to University authentication systems.
• There is currently nothing to suggest that passwords or financial information are affected.
• The University is working closely with Instructure and continuing to assess the impact.
• The main precaution at this stage is to remain alert to phishing or scam emails and to ensure devices used for work or study are appropriately protected.
• Affected users will be contacted directly if any further action becomes necessary. 

Further updates

The University continues to work closely with Instructure. Further updates will be made available on this page as the situation develops.