The largest edtech data breach in history

Two confirmed incidents — April 29 and May 7, 2026 — exposed an estimated 275 million records (students, teachers, parents) across approximately 9,000 schools and higher-ed institutions. Instructure's first public statement came 11 days after initial disclosure. As of mid-May 2026, 24+ class-action lawsuits have been filed. The U.S. Department of Education's FERPA Office issued updated guidance for affected institutions.

By scale, yes. 275M records dwarfs Chegg 2018 (40M), PowerSchool early 2025 (~unknown but smaller per public reporting), or earlier Canvas-adjacent incidents. The combination of K-12 + higher-ed + workforce-training scope is what makes it historically large.

Three immediate steps. (1) Force-reset SSO tokens for any account that authenticated against Canvas in the affected window. (2) Run a parent notification per state-law data-breach disclosure rules (timelines vary — CA 45 days, TX 60 days, NY 30 days from confirmed breach). (3) Open an LMS-alternative evaluation if your contract is up for renewal in 2026 — most districts are. The breach forces a re-procurement conversation regardless.

Postgres Row-Level Security (RLS) enforced from day one — every row is tenant-scoped and cross-tenant queries are mathematically impossible at the database layer. Append-only audit log with 40+ event types. HMAC-SHA256 signed webhooks. SOC 2 Type I in audit (Q3 2026). FERPA-compliant deployment with parent/guardian access controls. HIPAA BAA available. Multi-tenant isolation tested with red-team adversarial queries.

Three paths. (1) Coexist in 1 week via LTI 1.3 — Drivia sits inside your existing Canvas as the AI-tutoring layer, no migration required. (2) Phased over one academic term — migrate top-20% most-used courses (which drive 80% of activity), run both LMSs in parallel. (3) Full cutover 2-4 weeks — Common Cartridge import, AI rewrites with citations, mastery quizzes generated, instructors review and publish.