Instructure Canvas Data Breach Lawsuit, Millions of Student and Teacher Records Records Stolen Worldwide? Peterman v. Instructure, et al. and Related Federal Cases

Instructure, the Utah-based company behind the Canvas learning management system, confirmed a cyberattack in May 2026 that exposed the names, email addresses, student ID numbers, and private messages of users at educational institutions worldwide — and at least two dozen federal class action lawsuits have followed. The lead case in Utah, Peterman v. Instructure, was filed in the U.S. District Court for the District of Utah; a parallel case, Hinds v. KKR & Co. Inc., No. 1:26-cv-03816, was filed in the Southern District of New York on May 8, 2026. If you are a student, teacher, or school employee who has ever used Canvas, your personal information and private messages may have been exposed.

Instructure Canvas Data Breach Lawsuit — Key Facts

Field	Detail
Lawsuit Filed	Peterman v. Instructure — U.S. District Court, District of Utah, first filed May 2026; Hinds v. KKR & Co. Inc., No. 1:26-cv-03816, S.D.N.Y., filed May 8, 2026; at least two dozen federal suits total as of May 27, 2026
Defendant	Instructure, Inc.; Instructure Holdings, Inc.; KKR & Co. Inc. (named in New York suit)
Alleged Harm	Data breach — unauthorized access to names, email addresses, student ID numbers, and private messages; negligence; failure to maintain adequate cybersecurity
Specific Law Alleged	Negligence; breach of implied contract; unjust enrichment; state data privacy statutes (varies by filing)
Who Is Affected	Students, teachers, faculty, and school staff at any of the approximately 8,000–9,000 educational institutions using Canvas worldwide; U.S. users face the clearest legal path
Court & Case Numbers	U.S. District Court, District of Utah (Peterman v. Instructure and related cases); S.D.N.Y., No. 1:26-cv-03816 (Hinds v. KKR & Co. Inc.); S.D. Cal. (filed May 13, 2026)
Current Court Stage	Proposed class actions — pre-certification; multi-district litigation consolidation anticipated
Lead Plaintiff Deadline	TBD — not yet set by courts
Settlement Status	No settlement reached. Active litigation.
Law Firms Involved	Milberg PLLC; KO Lawyers; Carella Byrne Cecchi Brody Agnello PC (Peterman); Marshall Olson & Hull PC (Utah cases); Yagman PLLC (Hinds/New York); Chimicles Schwartz Kriner & Donaldson-Smith LLP (investigating)
Last Updated	May 27, 2026

Who Is Instructure and Why Is the Canvas Data Breach a Lawsuit?

Instructure is a private, Utah-based education technology company founded in 2008 and best known for Canvas, the most widely adopted learning management system in North American higher education. In 2026, Canvas served approximately 30 million active users at over 8,000 institutions across more than 100 countries — K-12 schools, colleges, universities, and even government and business clients. In 2024, private equity firm KKR acquired Instructure for approximately $4.8 billion. That ownership structure matters because plaintiffs in the New York suit named KKR directly, arguing the investment firm shares responsibility for failing to protect user data after the acquisition. This case matters to you if you have ever logged into Canvas through a school, university, or employer — because the platform held your name, your contact information, your academic messages, and potentially far more.

What Happened to Canvas Users Between April and May 2026, and Who Is Being Sued?

The unauthorized access began on April 25, 2026, when threat actors penetrated Instructure’s systems. Instructure’s own status page shows the company detected the intrusion four days later, on April 29, 2026, and immediately revoked access and began its investigation. On May 1, 2026, Instructure’s Chief Information Security Officer Steve Proud publicly confirmed the breach. The following day, the company stated it believed the incident had been contained and disclosed the categories of data involved: names, email addresses, student ID numbers, and messages exchanged among users. Instructure stated it found no evidence that passwords, dates of birth, government-issued identifiers, or financial information were compromised.

On May 3, 2026, the hacking group ShinyHunters listed Instructure on its dark web leak site, claiming responsibility and alleging it had stolen more than 3.65 terabytes of data — affecting approximately 275 million users at nearly 9,000 institutions. ShinyHunters demanded ransom and threatened to release the data publicly. On May 7, 2026, the group escalated: after Instructure attempted to patch systems rather than pay, ShinyHunters defaced Canvas login pages with a ransom note visible to every user trying to log in, triggering a full platform outage that disrupted final exams, assignments, and grading at institutions including Stanford, Yale, Princeton, the University of Manchester, and the University of Oslo.

The lawsuits allege that Instructure’s failure to maintain adequate cybersecurity — including after a prior breach by the same threat group just eight months earlier — constitutes negligence, breach of implied contract, and unjust enrichment. Bloomberg Law reported on May 8, 2026, that Instructure was hit with at least seven federal suits by that date alone, six filed in the U.S. District Court for the District of Utah. By the time the Austin American-Statesman reviewed court records, at least two dozen federal lawsuits had been filed. The cases collectively assert claims on behalf of a proposed nationwide class of Canvas users.

Related article: $5.68M Cook County Race Discrimination in Hiring Settlement, Do You Qualify for a Payment? File by Aug 5 Simpson, et al. v. Thomas J. Dart, et al., Case No. 1:18-cv-00553

Critically, this is Instructure’s second confirmed breach by ShinyHunters in approximately eight months. In September 2025, the same group exploited a social engineering attack against Instructure’s Salesforce environment. Plaintiffs argue that the recurrence — using the same threat actor, the same company, in under a year — is itself evidence of a systemic security posture failure, and that understanding of how data breach class actions establish negligence is directly relevant here. The University of Massachusetts Amherst described the event as a “vendor-driven national event affecting multiple institutions,” and Queensland’s Minister of Education estimated the attack could have impacted the data of 200 million people.

What about the private messages? This is where the case gets more serious than a typical name-and-email breach. Canvas messaging is the system where students report mental health crises to advisors, where accommodation requests are submitted, where Title IX matters are discussed with campus staff, and where sensitive academic conversations happen. The platform was designed with the expectation that those messages stayed inside an institution’s perimeter. They did not.

If you are a student, teacher, or school employee who used Canvas at any point and your institution was among the affected nearly 9,000 schools worldwide, this case may directly affect you.

Are You Part of the Instructure Canvas Data Breach Class Action?

Here is exactly how to know if this lawsuit could include you. The proposed nationwide class covers individuals whose personal information was accessed or acquired in the April–May 2026 Instructure data breach.

You may be included if:

• You are a current or former student, teacher, faculty member, or school employee at any institution that used Canvas as its learning management system
• Your institution was among the approximately 8,000–9,000 worldwide affected by the April 2026 breach
• Your personal information — including your name, email address, student ID number, or private Canvas messages — was potentially accessed or acquired
• You experienced harm including loss of privacy, time spent monitoring accounts or responding to the breach, out-of-pocket costs such as credit monitoring, or stress and anxiety from the exposure of private messages

You likely do NOT qualify if:

• You have never used Canvas through a school, university, employer, or government agency
• Your institution did not use Canvas as of April 2026
• You used Canvas solely through a Free-For-Teacher personal account that was shut down as part of Instructure’s post-breach response, and your institution had no separate Canvas environment

Canvas Users Outside the United States — Are You Still Covered?

The lawsuits filed to date are in U.S. federal courts and primarily assert U.S. legal claims — negligence, breach of contract, and state privacy statutes. If you are a student or teacher in Australia, the United Kingdom, Canada, New Zealand, or elsewhere, you are not currently part of the U.S. federal class actions. However, Australian authorities — including Queensland’s Department of Education — launched independent investigations, and legal advocates in multiple countries are separately assessing claims under local data protection laws including Australia’s Privacy Act and the UK’s GDPR framework. U.S. users with any connection to an affected American institution face the clearest immediate path to class membership.

If you are unsure whether the Canvas data breach class action covers your situation, a free consultation with a data privacy attorney can help you understand your options before any deadline is set by the court.

What Are Canvas Users Asking the Court to Award in the 2026 Data Breach Lawsuits?

The complaints filed in Utah, New York, and California seek a range of remedies. On the damages side, plaintiffs are pursuing compensation for loss of privacy, time and money spent dealing with the breach, out-of-pocket costs such as credit monitoring services, and emotional harm from the exposure of sensitive private messages. Unjust enrichment claims argue that Instructure collected fees and revenue from institutions while failing to invest adequately in the security infrastructure needed to protect user data.

Beyond financial compensation, plaintiffs are also asking courts to require Instructure to delete and purge stored personal data until specific security safeguards are in place, implement internal security training for staff, notify users of all data at risk, and adopt a court-supervised data security improvement program.

What Could Canvas Users Receive If the 2026 Data Breach Cases Settle?

No money is available yet, and no claim form exists. The lawsuits were filed in May 2026 and are in early litigation. For context, Bloomberg Law noted that the PowerSchool data breach — which exposed records on roughly 62 million K-12 students and teachers — produced a $17.25 million settlement and triggered class actions in 11 states. The Instructure breach is larger in the number of claimed users but, based on confirmed data categories, involves less sensitive data classes than some prior education technology breaches. What any settlement might yield for individual class members depends entirely on how many people file, the strength of evidence presented, and what the parties negotiate. A data privacy attorney can give you a realistic picture of your individual situation.

What Should Canvas Users Do Right Now?

1. You are likely already included — no immediate action required. Most class action members are automatically included in a proposed class. There is no sign-up form, no opt-in, and no filing deadline at this early stage.
   
2. Save every Canvas-related notification you have received. Hold onto any emails from your school’s IT department, from Instructure directly, or from your institution’s administration about the breach. These communications document when you were notified and what your institution knew.
   
3. Document your Canvas use and the institution involved. Note your school or employer, your years of enrollment or employment, and whether you used Canvas messaging for sensitive communications. This context becomes important if a settlement claims process opens.
   
4. Take basic protective steps now. Change your Canvas password if you have not already, and change it on any other accounts where you used the same credentials. Enable multi-factor authentication wherever available. Review your email account for unusual login attempts, since your email address was among the confirmed exposed data.
   
5. Track the cases. The primary federal cases are pending in the U.S. District Court for the District of Utah (Peterman v. Instructure and related cases) and the S.D.N.Y. (Hinds v. KKR & Co. Inc., No. 1:26-cv-03816). You can monitor filings through PACER at pacer.gov. Courts may consolidate these cases into a single multi-district proceeding as the litigation develops.
   
6. Consider your options if you experienced actual financial harm. If you have already suffered identity theft, received phishing messages that resulted in financial loss, or experienced concrete out-of-pocket costs directly tied to the breach, you may have a stronger individual claim worth discussing with a class action lawsuit attorney separately from the class.
   

Instructure Canvas Data Breach Lawsuit Timeline

Milestone	Date
Unauthorized actors first access Canvas systems	April 25, 2026
Instructure detects intrusion, revokes access	April 29–30, 2026
Instructure CISO Steve Proud publicly confirms breach	May 1, 2026
Instructure states breach “contained,” discloses data categories (names, emails, student IDs, messages)	May 2, 2026
ShinyHunters posts ransom demand on dark web leak site, claims 3.65TB stolen from ~275M users	May 3, 2026
ShinyHunters defaces Canvas login pages with ransom note; platform outage begins	May 7, 2026
First federal lawsuits filed — at least 6 in U.S. District Court for the District of Utah	May 7–8, 2026
Hinds v. KKR & Co. Inc. filed, S.D.N.Y., No. 1:26-cv-03816	May 8, 2026
Instructure announces agreement with ShinyHunters; claims data returned and destroyed	~May 11, 2026
Instructure issues apology for “lack of transparency” on incident update page	May 11, 2026
Class action filed, U.S. District Court for the Southern District of California (San Diego)	May 13, 2026
Total federal lawsuits filed: at least two dozen	As of May 27, 2026
Multi-district litigation consolidation	TBD — not yet ordered
Lead plaintiff deadlines	TBD — not yet set by courts
Expected resolution	TBD — early litigation stage

Instructure Canvas Data Breach Lawsuit — Frequently Asked Questions, Peterman v. Instructure and Related Cases

1. Is there a class action lawsuit against Instructure for the Canvas data breach right now? 

Yes — multiple ones. At least two dozen federal class action lawsuits have been filed against Instructure since May 7, 2026. The lead case in Utah is Peterman v. Instructure, filed in the U.S. District Court for the District of Utah. A parallel suit, Hinds v. KKR & Co. Inc., No. 1:26-cv-03816, was filed in the Southern District of New York on May 8, 2026, and names both Instructure and its private equity owner KKR as defendants.

2. Do I need to do anything right now to be included in the Instructure Canvas data breach class action?

 No. Class members in proposed class actions are included automatically. There is no opt-in form, no claim deadline, and no action required at this early stage. The most useful things you can do now are save breach-related notifications from your school and document your Canvas use and institution.

3. When will the Instructure Canvas data breach cases settle?

 It is impossible to predict. The lawsuits were filed in May 2026 and are in the earliest stage of litigation. Courts may consolidate the cases into a single multi-district proceeding before any settlement can be negotiated. Cases of this scale — involving millions of users and dozens of parallel suits — typically take one to several years to resolve.

4. Can I file my own lawsuit against Instructure for the Canvas data breach instead of joining the class? 

Yes. Individual claims are an option, particularly if you experienced concrete financial harm such as identity theft or out-of-pocket costs directly traceable to the breach. For most users, the class action is the practical path. A data privacy attorney can tell you which approach makes more sense given your specific situation.

5. How will I find out if the Canvas data breach lawsuits settle?

 If a settlement is reached and approved, Instructure will be required to notify class members — typically by email to the address your institution has on file. You can also monitor filings directly through PACER (pacer.gov) and check back here for updates as the litigation develops.

6. What does “lead plaintiff” mean, and does the deadline matter for Canvas users? 

The lead plaintiff is the named individual who represents the entire class, works closely with attorneys, and has their name on public filings. In data breach cases like this one, courts set lead plaintiff deadlines through scheduling orders issued after the lawsuits are filed. No lead plaintiff deadline has been announced in the Instructure cases as of May 27, 2026. If you want to be considered for that role — which is more active than ordinary class membership — watch for scheduling orders on PACER and contact one of the plaintiff’s law firms promptly.

7. What specific laws does Instructure allegedly violate in the Canvas data breach lawsuits?

 The Utah and California cases assert negligence, breach of implied contract, and unjust enrichment under common law. The New York suit against KKR and Instructure adds negligence claims specific to KKR’s ownership responsibilities. Some complaints also invoke state data breach notification statutes. The full range of legal theories will likely expand as the cases develop and plaintiffs conduct discovery into Instructure’s security practices, especially given the prior September 2025 breach.

8. How much could Canvas users receive from a future Instructure data breach settlement?

 No money is available yet, and no settlement exists. Individual recoveries in data breach class actions vary widely. Bloomberg Law reported that the PowerSchool breach — affecting roughly 62 million students and teachers — produced a $17.25 million settlement. Individual payouts in education data breach settlements have historically ranged from credit monitoring services to modest cash payments, depending on the number of claimants and proof of actual harm. If you experienced documented financial harm, your recovery potential is higher. A data breach compensation attorney or class action lawsuit attorney can give you a clearer picture of your specific situation.

Sources Used in This Instructure Canvas Data Breach Article

• Bloomberg Law — “KKR, Instructure Sued After Data Breach of Canvas EdTech Tool,” May 8, 2026: https://news.bloomberglaw.com/litigation/kkr-instructure-sued-after-data-breach-of-canvas-edtech-tool

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against Instructure’s official CISO statements, Bloomberg Law court reporting dated May 8, 2026, and Chimicles Schwartz Kriner & Donaldson-Smith LLP’s published investigation disclosure. Last Updated: May 27, 2026.

This article is for informational purposes only and does not constitute legal advice. Laws vary by state and individual circumstances differ. For advice about your specific situation, consult a qualified attorney.