Regarding the data breach in the Canvas learning platform

Instructure, the company that owns Canvas, stated in early May 2026 that a unauthorized actor had gained access to certain personal data. Many higher education institutions around the world were affected.

Konstfack immediately reported the incident to the Swedish Authority for Privacy Protection (IMY) and implemented security measures. On 12 May, Instructure announced that they had reached an agreement with the unauthorized actor, who promised that the data obtained had been deleted and would not be released.

Since then, Konstfack has received information from Instructure about which data was exposed. The breach includes user accounts for employees and students at Konstfack, as well as a number of external users of the service, dating back to 2018.

The unauthorized actor has had access to:
• Name
• Email address
• Personal identity number
• Courses these individuals have participated in within the learning platform

Is there any risk?
Even though the data is reported to have been deleted, Konstfack would like to emphasize that in incidents of this nature it is never possible to know with complete certainty how the data has been handled.

We cannot rule out that affected individuals may be exposed to, for example:
• Phishing attempts (fraudulent emails or text messages)
• Fraud attempts or identity misuse

If you have a Canvas account at Konstfack, or have had one previously, you should keep the following in mind:
• Log in to Canvas via konstfack.se, or through a shortcut you have created yourself, and not via links in emails
• Be alert to unusual emails and text messages. Phishing attempts may occur.
• If you have a guest login in Canvas, change your password. If you are a regular user (teacher or student), you do not need to change it.

Questions
If you have questions about the incident, please contact Konstfack's Data Protection Officer: dataskyddsombud@konstfack.se