The Instructure Canvas Breach Explained: What NZ Businesses and Schools Need to Know

The education technology sector has once again found itself in the cybersecurity spotlight. A recent incident involving Instructure Canvas — one of the world's most widely used Learning Management Systems (LMS) — has highlighted just how exposed schools, universities, and the supply chains around them are to data breaches and follow-on phishing attacks.

TrendAI's research team published a detailed breakdown of the incident, which you can read here: What Is the Instructure Canvas Breach?.

In this post, we'll summarise what happened, explain why it matters for New Zealand organisations (especially those in education and EdTech), and walk through the email security controls that help defend against the inevitable wave of impersonation attempts that follow a breach like this.

What Happened in the Instructure Canvas Breach?

Instructure's Canvas platform is used by thousands of educational institutions globally, including a significant number of New Zealand universities, polytechnics, and schools. The platform stores sensitive information including:

  • Student names, email addresses, and contact details

  • Academic records and submissions

  • Staff communications

  • Integration data with other school systems

According to TrendAI's analysis, the breach exposed user data that attackers can now weaponise in highly targeted phishing campaigns. Even when financial information isn't stolen, the contextual data — knowing someone's institution, course, and lecturer names — makes phishing emails dramatically more convincing.

Why This Type of Breach Is Especially Dangerous

Education-sector breaches have a long tail. Stolen data is often:

  1. Sold on dark web marketplaces to lower-tier criminals

  2. Used to craft spear-phishing emails that impersonate lecturers, IT departments, or finance teams

  3. Combined with other leaks to enable credential stuffing across services

  4. Leveraged in business email compromise (BEC) scams targeting parents, alumni, and suppliers

For New Zealand institutions, this risk is amplified by tight integration between LMS platforms, Microsoft 365 or Google Workspace tenants, and student management systems.

What This Means for New Zealand Organisations

Even if your business isn't a school, you're likely affected if:

  • Your staff are studying part-time at a NZ tertiary institution

  • You provide services to schools, universities, or EdTech vendors

  • Your customers' children attend institutions using Canvas

  • You operate in a sector where Canvas-style platforms are used for staff training

Expect to see phishing emails that look like:

"Your Canvas account has been flagged for unusual activity. Click here to verify your identity before access is suspended."

Or more sophisticated lures impersonating NZQA, Studylink, or specific university IT helpdesks.

How Email Authentication Defends Against Breach Fallout

You can't undo a third-party breach, but you can make it dramatically harder for attackers to impersonate your domain. The three pillars are SPF, DKIM, and DMARC.

1. Lock Down SPF

SPF tells the world which servers are allowed to send email on behalf of your domain. A strict SPF record stops attackers spoofing your exact domain in basic phishing campaigns.

Example SPF record for a NZ business using Microsoft 365:

yourdomain.co.nz.  TXT  "v=spf1 include:spf.protection.outlook.com -all"

The -all (hard fail) is critical — ~all (soft fail) is far less effective.

2. Enable DKIM Signing

DKIM cryptographically signs your outbound mail so recipients can verify it wasn't tampered with. In Microsoft 365 or Google Workspace, this means enabling DKIM in the admin console and publishing the two CNAME records they provide.

selector1._domainkey.yourdomain.co.nz.  CNAME  selector1-yourdomain-co-nz._domainkey.tenant.onmicrosoft.com.
selector2._domainkey.yourdomain.co.nz.  CNAME  selector2-yourdomain-co-nz._domainkey.tenant.onmicrosoft.com.

3. Enforce DMARC

DMARC ties SPF and DKIM together and tells receiving servers what to do with mail that fails authentication. After breaches like the Canvas incident, a DMARC policy of quarantine or reject is the single most effective control against domain spoofing.

Start in monitor mode:

_dmarc.yourdomain.co.nz.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.co.nz; fo=1"

Then progress to enforcement:

_dmarc.yourdomain.co.nz.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.co.nz; pct=100; adkim=s; aspf=s"

A Practical Response Checklist for NZ Schools and Businesses

If you're worried about exposure from the Canvas breach (or any similar incident), work through these steps:

  1. Confirm exposure. Check with your institution or vendor whether your domain or user accounts were affected.

  2. Force password resets for any potentially exposed accounts, and enable MFA everywhere.

  3. Audit your SPF, DKIM, and DMARC records for every domain you own — including parked domains and old marketing subdomains.

  4. Enable Inbound SPF, DKIM and DMARC settings - This helps block inbound messages from illegitimate senders - article here

  5. Warn your users. Send a clear, plain-English email explaining what phishing attempts to expect, and how to report them.

  6. Monitor DMARC reports for unusual sending sources claiming to be your domain.

  7. Review third-party integrations in your Microsoft 365 or Google Workspace tenant. Remove anything that isn't actively used.

  8. Brief your finance team. Breaches frequently lead to invoice fraud and CEO impersonation attempts within weeks.

The Supply Chain Lesson

The Instructure Canvas breach is a textbook example of third-party risk. Your security posture is only as strong as the weakest vendor holding your data. For NZ organisations subject to the Privacy Act 2020, this includes a responsibility to ensure overseas providers (like US-based EdTech vendors) handle personal information appropriately.

Ask your vendors:

  • Where is our data stored, and under what jurisdiction?

  • What is your breach notification timeline?

  • Do you support SSO and enforced MFA?

  • Are you SOC 2 or ISO 27001 certified?

Check Your Email Security in 30 Seconds

Breaches like the Instructure Canvas incident don't just affect the breached organisation — they create ripple effects across every connected business and institution. The best defence is to make sure attackers can't successfully impersonate your domain when they come knocking.

👉 Run a free check with xteam's MailCheck tool to instantly see whether your SPF, DKIM, and DMARC records are configured correctly — and get a clear, prioritised action plan to close any gaps.

It takes 30 seconds, requires no signup, and could save your organisation from being the next phishing case study.