Canvas cyberattack disrupts Plano, Allen schools during finals season

Canvas’s cyberattack landed where it hurts most, in the stretch before finals, when Plano ISD and Allen ISD students were relying on the platform for assignments, grades, lecture materials and teacher updates. For families in Collin County, the outage was not a distant technology problem. It hit the daily rhythm of school work, from last-minute studying to checking what teachers had posted for end-of-year testing.

The scale of the breach made the disruption more alarming. Security analysts said the ShinyHunters group claimed 3.65 terabytes of stolen data and said the information belonged to 275 million students, teachers and other people at nearly 9,000 education institutions worldwide. Even before any local impact was fully measured, that claim turned a school platform outage into a privacy and security concern, especially for parents wondering whether student records or contact information could have been exposed.

Plano ISD said that for the 2025-2026 school year, only Algebra 1, Spanish 1 and Spanish 2 were on Canvas, but even that limited use can matter when finals are approaching and students are trying to keep track of coursework. Allen ISD said it uses Canvas in secondary courses as a digital extension of the classroom. Its 2025-2026 calendar shows the last day of school is Friday, May 22, and Allen High School’s semester-exam policy allows some students in grades 10-12 to be exempt if they meet academic and attendance criteria, another sign that end-of-year testing logistics are tightly managed.

Southern Methodist University felt the same pressure. On May 7, the university rescheduled final exams originally set for Friday, May 8, to Sunday, May 10. SMU’s Spring 2026 in-person final exam period on the Dallas campus runs May 11-15, showing how closely the outage overlapped with the most sensitive part of the academic calendar.

Instructure said on May 6 that the Canvas security incident was resolved and that Canvas was fully operational, while advising customers to enforce multi-factor authentication on privileged accounts, review admin access and rotate API tokens or keys where applicable. A day later, the company said it was still investigating and had moved Canvas, Canvas Beta and Canvas Test into maintenance mode during the response. For Plano and Allen families, the lesson is clear: when the core school platform fails during finals season, learning, testing and communication all take a hit at once.