On May 7, 2026, the ShinyHunters ransomware group breached Instructure’s Canvas learning management system and exfiltrated an estimated 3.6 terabytes of data affecting roughly 275 million records tied to students, teachers, and staff worldwide. Virginia is not on the periphery of this story. It is at the center of it.
Virtual Virginia, the Commonwealth’s primary online learning platform, runs on Canvas. That means every Virginia school division has some degree of exposure – through direct use, through dual enrollment programs, or through students taking AP and specialized courses online. Virginia Beach, Chesapeake, Newport News, and Isle of Wight County have all reported varying levels of impact according to the Virginia Pilot. ODU took its system entirely offline. Virginia Tech, VCU, UVA, and James Madison University have all issued security alerts.
The breach did not happen because of a sophisticated attack on enterprise infrastructure. The breach reportedly involved Free-For-Teacher accounts – unmanaged cloud access operating outside normal division oversight. Teachers often adopt these tools to fill operational gaps quickly. In this case, that access became part of the exposure pathway.
The question Virginia IT directors are asking this week is the right one. Not how do we fix Canvas – but how do we ensure our next major technology rollout does not have the same exposure. The incident also reinforces questions many divisions are already asking under Virginia Code Section 22.1-20.2:1 about oversight, inventory, vendor agreements, and division-managed environments where student data is processed and stored. Many divisions are now reevaluating how much sensitive student information should depend on centralized third-party cloud systems versus locally managed environments under direct division control.
The breach demonstrates how centralized cloud systems can concentrate risk at enormous scale. Locally managed systems reduce the scale and scope of this type of exposure.