Around 5 p.m. on Wednesday, May 6, Sequoia staff members received an email from the district office disclosing the potential breach of student information in a recent cybersecurity incident. The data attack targeted Instructure, the parent company of Canvas, putting personal information of countless users at risk.
Canvas is an integral education tool used by high schools and universities alike, storing announcements, assignments, quizzes and grades all in one place.
“The district reviews data privacy practices and compliance when entering into partnerships with tech tools,” District Director of Instructional Technology Barbara Reklis said.
This includes their signed agreement with Instructure when the school district first started using Canvas.
“Our priority is to protect students and staff, as well as to maintain continuity for teaching and learning,” Reklis said.
While no government identifiers or passwords were stolen during the security incident, roughly 275 million records including student ID numbers, email addresses and direct messages on the Canvas platform were compromised.
The following day, Canvas underwent a shutdown that logged all users out of the program. This affected schools across the country, but was brief, with access being restored on Friday, May 8.
“The district is continuously monitoring the impacts of the recent incident to ensure students and staff have what they need,” Reklis said.
Instructure assured that the data breach had been contained, but the security of Sequoia High School’s information is still unknown. Confirmed local universities that were impacted include Stanford, UC Santa Cruz and UC Berkeley, whose students received a message via the Canvas login page threatening to release information on Tuesday, May 12.
According to the ransom note, a hacking group known as ShinyHunters has claimed responsibility for the Instructure attack, acquiring about 3.65 terabytes of Canvas data from almost 9,000 schools. This makes it the largest educational data breach ever recorded.
While the Canvas shutdown disrupted countless institutions worldwide, this event has sparked questions about the fragility of educational security systems and what would happen in a more serious attack.
“An incident like this is a great time to reflect on existing policies, making improvements as necessary,” Reklis said.
As of May 12, Instructure publicly paid a settlement that returned the data to them and they received digital “shred logs” as proof that all copies of the stolen files were destroyed. Moreover, Instructure publicly stated that no individual customers would be targeted or extorted as a result of the breach.
Forensic teams are still trying to identify which institutions of the thousands impacted by this incident were actually hacked, but it is certain that a breach did occur within Instructure’s system.
“This data breach offers a strong reminder that we all need to be vigilant in protecting our digital data,” Reklis said.
All current updates on this matter can be found through Instructure’s page here:


















