Skip to content

Breach response

What the May 2026 Instructure breach means for AU Canvas institutions

In May 2026, the ShinyHunters group breached Instructure, the company behind Canvas LMS. The exposed data (reported at roughly 3.65 TB across 8,809 institutions) was significant on its own. But for Australian education compliance owners, the more durable lesson was not a change Instructure made. It was a fact the breach made impossible to keep ignoring: protecting and recovering the data inside Canvas has always been the institution's responsibility, not the vendor's, and Instructure's own terms say so.

If your continuity plan ever rested, even implicitly, on Instructure being able to retrieve lost content for you, this is the moment to check that assumption against what you have actually contracted for. This article sets out what Instructure's terms say about whose job recovery is, why that matters for your specific compliance obligations, and the three concrete things to do before your next audit.

What the breach actually changed

The breach was a real exposure and trust event: credentials, configurations, and in some cases content were compromised, and every affected institution had to assess its own blast radius. What it did not do is change the contract. Responsibility for protecting and recovering your course data sat with the institution before the breach and sits there after it. What changed is that a comfortable assumption, that the vendor was an implicit backstop, became hard to keep holding.

Instructure's own Master Terms set the split out plainly: Instructure keeps Canvas running and secures the platform (§5), your courses remain your property (§9), and protecting them is your responsibility (§3). The platform is provided as is, with no obligation on Instructure to keep a recoverable copy of your courses for you. Read that way, the breach did not open a hole in your continuity plan. It made an existing one visible.

The distinction that matters here is between having a backup and having tested a restore. Plenty of institutions take Canvas exports. Far fewer have ever taken one of those exports, restored it into a clean environment, and verified that what came back actually matches what they had. After May 2026, that gap is no longer academic. It is the difference between a recovery plan and a hope.

Why this lands on compliance, not just IT

For registered training organisations, ASQA's record-keeping obligations (Clause 8.1–8.2 in the standards most providers operate under) require that records be retained and be able to be retrieved and transferred. Retrieval you have never tested is not retrieval you can attest to. An auditor is entitled to ask not just "do you keep records?" but "can you produce them, intact, on request?"

For institutions on an Essential Eight uplift program, Maturity Level 1 explicitly requires that backups be restored at least once as part of disaster recovery testing. This is the line that catches people: the control is not "take backups," it is "restore from backup and confirm it works." A backup regime with no restore test does not meet ML1, however diligent the backups themselves are.

Insurers are converging on the same question. Cyber and professional indemnity renewals increasingly ask whether the organisation has recently restored from backup, not whether it has one. The breach has simply made the question urgent and concrete for the education sector.

Three things to do before your next audit

1. Establish an independent backup you control. Confirm you hold backups of all published Canvas courses outside Instructure's control, stored where you can prove their location. For Australian providers, that means Australian data residency, a procurement and privacy expectation that buyers and assessors will check. Confirm, too, that those backups are immutable: that they cannot be silently deleted or overwritten within your retention period.

2. Run a real restore drill and document it. Take a recent export, restore it into a separate Canvas test environment, and verify it against the live course: structure, enrolments, submissions, gradebook, and media. Record the outcome with a date, an operator, and a pass/fail result. If you have never done this, expect to find gaps; that is precisely what the drill is for. (We publish a free Canvas Restore Drill Template with the procedure and an auditor-ready log.)

3. Update your evidence to reflect the new reality. Revise any compliance documentation that assumed vendor-side recovery. Your evidence pack should now show an independent, in-Australia, immutable backup plus a dated restore record mapped to the specific clause your auditor will ask about: ASQA 8.1–8.2, Essential Eight ML1, and, where relevant, ISO 27001 A.8.13.

The question your auditor will actually ask

Before May 2026, the implicit audit question was "are you backed up?" After it, the question is sharper: "have you restored, and can you show me the evidence?" Institutions that can hand over a dated, signed restore record will move through their next audit quickly. The rest will be improvising in the room.

You can run this yourself, and the template above is genuinely all you need to start. If you would rather have continuous immutable backup in Australia, a restore drill run on a schedule, and a Restore Verification Report produced for you, that is exactly what Retenta does. See pricing.

Further reading: the

ASD Essential Eight guidance

sets out the restore-testing expectation in detail.


← All resources