Ransomware attack briefly disrupts KU Canvas access during spring semester crunch

A ransomware attack on the company behind Canvas briefly cut off University of Kansas students and instructors from assignments, schedules and course materials at the worst possible point in the semester, just as Stop Day had closed out regular classes and final work was piling up. The outage hit a system many KU faculty use for grading, assignment submission and course communication, leaving students unable to turn in work or check course details for several hours.

KU Provost Arash Mafi told the university community at 11:55 a.m. Friday, May 8, that the nationwide disruption appeared to have ended and that no student would be penalized for circumstances beyond their control. The university said assignment deadlines tied to Canvas should have been paused or made flexible unless instructors had said otherwise, and students were told to email instructors if they were unsure how or where to submit work. KU also urged students to save copies of their work, keep timestamped files and contact the Student Access Center if they needed additional accommodations.

Faculty were told to download copies of their grade books immediately, a sign of how close the university was to final grade submission and spring graduation. KU’s spring 2026 academic calendar lists the first day of classes as Jan. 20 and the final deadline to apply for spring graduation as March 2, underscoring how quickly a software failure could ripple through grading, exams and degree paperwork. KU also noted that Stop Day is governed by University Senate Rules and Regulations, which bar academic assessments such as exams from being scheduled that day.

KU spokeswoman Erin Barcomb-Peterson said the outage was not expected to affect the university’s ability to confer degrees later in May, and she said KU did not pay any ransom to resolve the problem. The university’s own Canvas guidance said students who felt unfairly treated because of the outage should first work with the relevant unit or department to seek a resolution.

The KU disruption was part of a broader national attack that hit hundreds of universities, including Penn State University, the University of Pittsburgh and Pittsburgh-area campuses, along with Pittsburg State University in Kansas. Instructure later said Canvas was fully operational and recommended customers enforce multifactor authentication on privileged accounts, review admin access and rotate API tokens or keys where appropriate. Security reporting said names, email addresses, student ID numbers and some private messages were exposed, while Instructure said there was no evidence passwords, financial data, government IDs or dates of birth were exposed. ShinyHunters claimed responsibility and said it had stolen about 3.65 terabytes of data, though that figure was not independently confirmed by Instructure.