The operator of Canvas, the cloud-based learning management platform used by more than 8,000 schools and universities, is facing a wave of proposed class actions after a cyberattack attributed to hacking group ShinyHunters reportedly exposed the personal data of more than 275 million students and teachers. More than half a dozen suits have been filed in Utah and New York federal courts in just the past week, with plaintiffs alleging that Utah-based Instructure Inc. failed to properly secure names, email addresses, student ID numbers, private messages, and enrollment records entrusted to its platform.

The complaints follow a familiar script: Instructure promised robust data security, failed to deliver, and is now facing the consequences. Plaintiffs allege that despite having the financial wherewithal and personnel necessary to prevent the breach, Instructure failed to implement security procedures adequate to protect the sensitive, unencrypted information it maintained. 

For those following FTC enforcement in the privacy space, this situation has a familiar ring. In December 2025, the Commission announced a consent order against Illuminate Education, which provides cloud-based tools to more than 5,200 school districts, following a 2021 breach that exposed the personal data of more than 10 million students. The FTC's complaint against Illuminate alleged a pattern of security failures strikingly similar to what Canvas plaintiffs are now alleging: storing student data in plain text, failing to implement reasonable access controls, and neglecting to notify affected school districts in a timely manner. Compounding those failures, the credentials used to access Illuminate's system belonged to a former employee who had left the company more than three and a half years before the breach.

The Illuminate matter also drew parallel enforcement from state attorneys general: California, Connecticut, and New York reached a $5.1 million multistate settlement with Illuminate over the same breach, with California alone receiving $3.25 million in civil penalties under the California K-12 Pupil Online Personal Information Protection Act.

The Canvas litigation is still in its early stages, and it would be premature to draw conclusions about Instructure's ultimate liability. But the Illuminate matter offers a useful preview of the regulatory and litigation exposure that can follow a major breach, particularly where a company's security practices diverge from its public representations.