A significant cybersecurity breach targeting the learning management system Canvas has compromised student and faculty data at multiple US colleges and has also affected the University of the East in the Philippines. The incident was first reported by US media outlets on Tuesday, May 13, 2025, with affected institutions confirming unauthorized access to sensitive information stored on the platform. UE officials in Manila acknowledged the breach on Wednesday, May 14, stating they are coordinating with national cybersecurity authorities.
Scope of the Breach
Canvas, a widely used online education tool developed by Instructure, serves over 30 million users globally, including universities and school districts. Initial reports from the Rochester City School District in New York indicate that a list of affected districts and students has been released following what investigators describe as one of the largest student data breaches in US history. The compromised data includes names, email addresses, course enrollment details, and in some cases, grades and financial aid information.
The Philippine Department of Information and Communications Technology (DICT) has not yet issued a formal statement, but sources within the agency confirmed to PinoyPulse that they are monitoring the situation. The University of the East, which uses Canvas for its online and blended learning programs, reported that an internal audit found evidence of unauthorized access to its Canvas instance dating back to early April.
University of the East Confirms Impact
UE President Dr. Zosimo Batad Jr. issued a memorandum on Wednesday afternoon informing students, faculty, and staff of the breach. He stated that the university's IT department detected anomalous activity in the Canvas system on May 10 and immediately took the platform offline for investigation. The university has since restored access but advised users to change their passwords and monitor their accounts for suspicious activity.
We are working closely with Instructure and the Philippine National Police Anti-Cybercrime Group to determine the full extent of the breach, Dr. Batad said in the memo. We urge everyone to remain vigilant and report any unusual activity to our help desk immediately.
UE has approximately 20,000 students across its campuses in Manila and Caloocan, all of whom use Canvas for course materials, assignments, and exams. The university has temporarily suspended all online assessments until the integrity of the system is confirmed.
US Institutions Reel from Breach
In the United States, the breach has affected dozens of schools and colleges, including the Rochester City School District, which serves over 24,000 students. District officials held a press conference on May 13, confirming that the breach exposed student names, dates of birth, and academic records. They advised parents to place fraud alerts on their children's credit files.
The Federal Bureau of Investigation (FBI) has opened an inquiry into the incident, with early evidence pointing to a coordinated attack by a hacking group known for targeting educational institutions. Instructure released a statement saying they have patched the vulnerability that allowed the breach and are cooperating with law enforcement.
No PAGASA Advisories Yet
While the Philippine Atmospheric, Geophysical and Astronomical Services Administration (PAGASA) has no direct role in cybersecurity, its disaster risk reduction division has issued a reminder that data breaches can be a precursor to social engineering scams, especially during emergencies. PAGASA spokesperson Juanito Galang told PinoyPulse that the agency has not received any related advisories but emphasized the need for public awareness.
Previous Incidents Raise Concerns
This is not the first time Canvas has faced security issues. In 2020, a vulnerability was discovered that allowed unauthorized access to user accounts, but it was quickly patched. The current breach appears to be more extensive, with some US law firms already advertising services to affected students. A legal notice from LLF National Law Firm, obtained by PinoyPulse, warns that students may face disciplinary probation if their compromised data is misused to fabricate AI-generated academic work.
The notice states:
Allegations of misusing artificial intelligence in your academic work can result in disciplinary probation. This is one of several punishments a student might face, and is a particularly common disciplinary outcome for those with no prior disciplinary offenses.
What Students Should Do
Cybersecurity experts recommend that all Canvas users immediately change their passwords, enable two-factor authentication if available, and review their account activity for any unauthorized changes. The Philippine National Police Anti-Cybercrime Group has set up a hotline for UE students to report suspicious activity. The group advises against clicking on links in unsolicited emails that claim to be from Canvas or UE, as these may be phishing attempts.
Instructure has provided a support page for affected institutions, but local tech analysts note that the company has been slow to release a definitive list of affected users in the Philippines. The University of the East has created a dedicated breach response page on its website, where updates will be posted as more information becomes available.
The DICT is expected to issue a statement by the end of the week as it continues its own investigation. Meanwhile, students and faculty across campuses are advised to remain alert as the full impact of the breach unfolds.
