Security incident concerning Canvas
A security incident has been detected at the provider of the Canvas learning platform. On this page, you will find information relating to the incident.
Canvas operational again
Canvas provider Instructure has decided to reach an agreement with the unauthorised actor responsible for disrupting the platform. This is a decision made by Instructure based on its own assessments.
Mälardalen University has had no contact with the unauthorised actor, has not been involved in this decision-making, and has no insight into any agreements. The University’s position is clear: we do not engage with unauthorised actors under any circumstances.
MDU continues to monitor developments closely and is continuously reviewing any new information or changes related to the incident.
It is also important that all staff and students remain vigilant against suspicious emails and other forms of phishing attempts. Be particularly cautious of unexpected requests to provide login credentials or to click on links. If in doubt, do not proceed and report the incident to abuse@mdu.se. If you have questions about how MDU processes your personal data, please contact dso@mdu.se.
Latest Updates Monday 11 May
According to information from Instructure, extensive technical and organisational security measures have been implemented, and Canvas is currently considered safe to use. The platform therefore remains available, although certain limitations may occur.
The University is closely monitoring developments in dialogue with Instructure and Sunet. As part of the incident management process, Sunet has filed a police report.
The information on this page is updated continuously as new, verified information becomes available or if Mälardalen University’s assessment changes.
If, as a user, you notice anything unusual in Canvas or in associated functions and integrations, please contact the University’s helpdesk.
Canvas and Ladok
The integration between Canvas and Ladok will remain disabled until 18 May. After that, Ladok will make a new assessment.
How this affects us as a higher education institution:
- Result reporting is temporarily disabled in Canvas. If you need to report results during this period, you can do so directly in Ladok. If you have questions regarding result reporting in Ladok, please contact your departmental administration.
- New and updated courses in Ladok will not be created or updated in Canvas during this period.
- Student registrations in Ladok will not be automatically synchronised to Canvas during this period, but will instead be handled manually by IT.
Updated information regarding the ongoing security incident in Canvas
Instructure, the provider of the Canvas learning management system, announced on 8 May 2026 that the ongoing security incident (data breach) has not yet been resolved, as new attacks have been identified affecting their systems. The incident affects several Swedish higher education institutions, including Mälardalen University (MDU)
The ongoing investigation indicates that an external unauthorised party has likely had access to data associated with MDU’s Canvas environment. This constitutes a personal data breach under the General Data Protection Regulation (GDPR), and the University reported the incident earlier this week to the Swedish Authority for Privacy Protection (IMY). The matter remains under investigation, and it is not currently possible to determine with certainty which personal data or which individuals have been affected.
According to the latest information provided by the supplier, the unauthorised access may have included certain identifying personal data, such as names, email addresses, and user or student IDs. At present, there is no information indicating that passwords, personal identity numbers, dates of birth, or financial information have been exposed. However, it is also possible that content within the Canvas messaging function has been accessible to unauthorised parties. The messaging function contains free-text entries, meaning that the content may vary depending on how you, as a user, have utilised the platform. At this stage, it cannot be ruled out that information of a more sensitive nature may also have been included in these messages. This means there is a risk that personal data processed in Canvas – both identifying information and potentially communication content within the messaging function – may have been accessible to unauthorised parties. This could in turn result in privacy-related consequences.
MDU is closely monitoring developments and will update its assessment as further information becomes available from the supplier. If you have any questions regarding your personal data, please contact the University’s Data Protection Officer at dso@mdu.se.
Service disruptions in Canvas on 8 May
In light of the incident and as a precautionary security measure, Canvas was temporarily shut down on Friday, 8 May 2026, and major service disruptions are still ongoing. Security measures are being continuously assessed and implemented to limit the risk of further unauthorised access.
What is MDU doing?
MDU is managing the incident in accordance with the GDPR and the University’s internal procedures for personal data breaches. Risk assessments are being carried out and continuously reviewed in close dialogue with the supplier, as well as through national coordination via Sunet.
What should you as a user do?
At present, no specific actions are required on your part. As a precaution, MDU recommends that you remain vigilant for suspicious emails or other contact attempts, do not share your login credentials, and use strong and unique passwords across other services.
Further information
We will continue to provide updates on this page as verified information becomes available or if the University’s assessment changes. Please be aware that there is a significant amount of unverified information circulating regarding this incident.
No new information since yesterday.
Instructure, the provider of the learning management system Canvas used at Mälardalen University (MDU), has informed us of an ongoing security incident affecting its environment. The investigation is still ongoing with the support of external cybersecurity experts. Instructure has now confirmed that MDU is one of the organisations whose account has been affected by the incident.
Based on the information shared so far by Instructure, an external, malicious actor has gained unauthorised access to data associated with MDU’s Canvas account. The data that may have been accessible is reported to include personal data. According to Instructure, there are currently no indications that passwords, dates of birth, government-issued identifiers or financial information were involved.
In Sweden, Canvas is provided to higher education institutions by Sunet (Swedish University Computer Network). Sunet is part of the Swedish Research Council and operates Sweden’s university data network, offering digital services to higher education institutions.
What has happened?
On 25 April 2026, Instructure was subjected to a cyberattack in which an external actor exploited a vulnerability in a system provided by the vendor. The attack was detected on 29 April, at which point the identified access was immediately revoked. As the investigation was subsequently expanded, additional suspected access was revoked, and the underlying vulnerability was remediated on 30 April. Instructure has stated that there are currently no signs of an ongoing threat. The discovery was made public by Instructure on 2 May.
As part of the incident response, Instructure has, among other measures, engaged an external forensic partner, notified law enforcement authorities, and implemented extensive technical security measures, including blocking compromised accounts, revoking access keys and introducing enhanced protective measures across the platform.
Impact on MDU
Instructure has confirmed that data associated with MDU’s account has been subject to unauthorised access. Work is currently under way to determine which specific data and which categories of data subjects may have been affected. At present, there is no verified information indicating that the data has been disclosed or further disseminated, but the incident is assessed to potentially involve personal data.
The security measures implemented by the vendor, such as restrictions on access, revocation of keys and changes to how tokens can be generated, may in some cases have resulted in temporary disruptions or limited functionality for external integrations or services connected to Canvas. The production environment for Canvas is currently operational. Some test environments are being restored gradually.
What is MDU doing?
The University is carrying out continuous and structured risk assessments to determine whether and to what extent the incident may pose a risk to the rights and freedoms of data subjects, in accordance with the General Data Protection Regulation (GDPR). These assessments are being updated on an ongoing basis as new, verified information becomes available from Instructure and other relevant parties.
In parallel, MDU has established a dialogue with the vendor and is analysing the incident from a legal, technical and organisational perspective, including any potential obligation to inform affected data subjects and the supervisory authority. The University aims to communicate accurate, factual and verified information in order to maintain transparency and reduce the risk of speculation and unnecessary concern during the ongoing investigation.
Recommendation to users
As a general precautionary measure, users are advised to remain alert to suspicious emails or other contact attempts, not to share their login credentials, and to use strong and unique passwords.
Further information
We will continue to share information on this page as updated and verified information becomes available from Instructure, Sunet, or when the University’s own assessment of the incident changes.
If you have been affected and have questions regarding your personal data, you are welcome to contact the Data Protection Officer at dso@mdu.se.