A letter from the founder · May 8, 2026
9,000 institutions. 275 million records. 3.65 terabytes of student data taken. Service down nationwide during finals week. My alma mater, the University of Mary Hardin-Baylor, sent the notice this afternoon.
This is not a sales letter. It is the technical and architectural argument for why this keeps happening — and what we built Drivia to do differently.
I’m a student at the University of Mary Hardin-Baylor. My finals start Monday.
This afternoon my school sent me an email. Canvas — the platform every assignment, every grade, every message between me and my professors lives on — is in a nationwide outage during finals week. We’re not the only school. Around 9,000 institutions are dark. 275 million students worldwide. Peers at Harvard, Princeton, Duke, MIT, Oxford, Berkeley, Northwestern, Chicago, the University of Wisconsin system, Penn, Rutgers, Oklahoma State — same email today.
3.65 terabytes of student records and private messages were taken from one company. Names, emails, student IDs, and the messages we send our professors when we’re struggling with a concept and don’t want anyone else to see.
I want to ask the people in higher ed who have to clean this up some real questions, not pitch you anything.
How much control did you actually have here? Could you have prevented this if you’d tried? Could you have caught it sooner? When the breach happened, did you have the data on your side to understand what was taken, or are you waiting for the vendor to tell you?
How much are you paying them every year? And what’s the real return on that — not just dollars, but the security posture you got back, the audit trail your CISO can actually read, the architectural review they’re allowed to perform on production?
This is the second confirmed Instructure breach in eight months. Why does that keep happening?
I think the honest answer is that we treat learning platforms like utilities, but utilities are supposed to be regulated and architecturally boring. Institutions picked a centralized vendor and gave up sovereignty in the process. The fix is not to switch to a different centralized vendor. The fix is institutions owning the architecture, the data, and the audit trail of their own platform — and a vendor whose business model is to hand them the keys instead of hold them.
By the numbers
9,000+
institutions affected
275M
individual records
3.65 TB
of stolen data
2 of 2
Instructure breaches in 8 months
Coverage as of May 7-8, 2026: Harvard Crimson, Daily Princetonian, BleepingComputer, DataBreaches.net, TechRadar, NBC, CBS Chicago, Reuters, Daily Cal, The Next Web, NZ Herald, WRAL, Rutgers IT, UCnet. ShinyHunters claimed the breach; Instructure confirmed exploitation of a vulnerability in production systems. AWS infrastructure was not the cause.
Litigation underway
Lead plaintiff
Jane Doe v. Instructure
A Baylor nursing student. U.S. District Court, Waco, Texas. Plaintiff’s attorney Nicholas Hall. Damages sought exceed $5 million. Class-action status sought.
Causes of action
Negligence + three more
Negligence, breach of implied contract, breach of confidence, unjust enrichment. KKR & Co., Instructure’s private-equity owner, is also named in several of the suits.
What got exposed
Private messages, not just records
Student emails, student IDs, and the Canvas messages students sent their professors — including disability accommodation requests and harassment complaints. The categories families assume are private.
Instructure CEO Steve Daly
“Rebuilding trust takes time. We’re going to earn it back through consistent action.”
Cynthia Kaiser, former FBI Cyber Division deputy director
“Payment does not end the threat. Stolen data will be exploited as long as it remains profitable.”
Instructure has acknowledged reaching an agreement with the hacking group — an undisclosed ransom in exchange for promised deletion and an assurance no customers would be extorted. The lawsuits continue regardless. Trust, once architected as a single point of failure, does not return because the vendor asks for it.
The architecture
Plain English on every line. Each item has a corresponding control surface a CISO can audit on day one of an engagement.
Virtual Resource Integrity Model
Every record is partitioned at the row level. A session can read exactly the data it was authorized to read and nothing else. Cross-tenant access is treated as a hard refusal, not a soft warning.
Canvas held one centralized 9,000-customer dataset. We do not architect that way.
Immutable evidence of every action
Every clinically and academically relevant action writes to an immutable log. Attackers cannot rewrite the trail to hide their tracks. CISOs read it directly, end-to-end.
Most LMS audit logs are mutable database tables you have to trust the vendor to preserve.
IGZ · NEZ · SROI · V-RIM, with rationale
Every AI turn passes through a four-coordinate governance reading: intent, zone, return, integrity. Plain-English rationale next to every decision so a regulator or an auditor can read it.
Other AI tutors render decisions as a black box. We render them as coordinates.
No single API as a single point of failure
Drivia routes across Groq, NVIDIA NIM, Cerebras, OpenRouter, OpenAI, Anthropic, DeepSeek, xAI Grok, Mistral, and self-hosted Qwen. UCB1 selection learns from grounding and latency. No single vendor outage takes the platform down.
Single-vendor dependence is the same concentration failure as single-LMS dependence.
Explicit posture, contractually enforced
Customer data is never fed to model training pipelines, ours or third parties. The opt-out is the default, not the upgrade.
Read your current LMS terms carefully. The default is rarely opt-out.
Public surfaces never see real PHI/FERPA data
Every public demonstration of Drivia uses synthetic patients, synthetic students, synthetic transcripts. Real institutional data lives only inside the institution.
Most LMS demos use redacted real data. Redaction is not the same as separation.
The business model
The dominant LMS model is per-seat licensing on a centralized vendor cloud. The institution pays more every year, controls less every year, and sits inside a 9,000-customer dataset that a single vulnerability can expose. Drivia flips that contract.
Flat annual fee. No per-seat extortion. Institutions know exactly what they pay, every year, no surprise scaling.
Institutional Postgres, institutional cloud, institutional residency. Drivia ships the platform; you keep the data.
We document every architectural decision and we train your IT staff and your students to maintain it. Sovereignty means knowing the system, not just owning the contract.
Architectural reviews on production. CISOs get read access to the schema, the audit log, and the governance trail. No black boxes.
This is the model managed-learning resellers can build under, the model TechServ closes its multi-million-dollar deal under, and the model Liberty’s procurement team is reviewing this month. If your institution is rebuilding its trust posture this week, it is the model worth a fifteen-minute conversation.
Why it keeps happening
The technical detail of this incident — a vulnerability exploited in Instructure’s own production systems, custom Python scripts and legitimate API tools used to extract 3.65 terabytes — matters less than the structural fact underneath it. Nine thousand institutions had no realistic way to prevent or mitigate this. They picked the dominant vendor. The dominant vendor became the single point of failure. The math does not work.
ShinyHunters, the group behind this breach, also hit Anodot via OAuth token theft, Snowflake-tenant customers via credential stuffing, and Vimeo via cloud-data exfiltration. The pattern is consistent: target vendors with concentration, because a single breach cascades across thousands of customers. Vendor concentration is the architecture they exploit.
An institution cannot solve this by switching to a different centralized vendor. It can only solve this by changing the architecture. Sovereignty over the data, immutability of the audit trail, real-time governance with auditable rationale, and a vendor whose business model rewards giving the institution control instead of taking it away.
That is what we built. That is the bet.
If you are writing the board memo this week
Fifteen minutes with the founder. No deck, no demo unless you want one — just the architectural conversation your board is about to ask you to have. UMHB student watching his own school go dark today. Skin in the game.
— Wilson Guenther · Founder, CEO and CTO · Drivia · UMHB student · May 8, 2026