Park City schools say Canvas breach exposed some local data

Names, email addresses and student identification numbers for some Park City School District students, teachers and staff were exposed in a Canvas cybersecurity breach, and families should now watch for phishing, change any reused passwords, and check school-linked accounts and records for unusual activity.

The district said it was notified on May 5 that its data was part of an April 25 incident tied to Instructure, the company behind Canvas. Park City families were told on Thursday, May 7, after the company said the breach affected about 275 million users nationwide.

Instructure said the compromised information included names, email addresses and student ID numbers. It said there was no evidence that passwords, dates of birth, government identifiers or financial information were exposed. Even so, names and school account details can still be useful to scammers who try to impersonate district staff, send convincing phishing emails or probe for access to student and employee accounts.

For Park City parents, that means treating every message that claims to come from the district, a teacher or Canvas with caution this week. Check whether email addresses and phone numbers on file are current, enable multifactor authentication wherever it is available, and review any accounts that use the same password as a school login. If a child’s school records are connected to other services, monitor those accounts for password reset requests, unfamiliar sign-ins or changes to contact information. Because student IDs were among the exposed data, families should also keep an eye on any messages about records, enrollment or account recovery that could be fake.

Canvas is deeply woven into daily school life in Utah. The Utah Education Network says educators across the state use it to support more than 672,662 K-12 students and about 200,000 higher education students, which is why even a vendor-level incident can ripple far beyond one district. The University of Utah said its systems were not affected, and the Wasatch County School District said it uses Canvas but had not been told whether its data was involved.

Instructure said it revoked privileged credentials and access tokens, patched systems, rotated certain keys and increased monitoring. It also recommended multifactor authentication on privileged accounts, admin-access reviews and token or key rotation. Park City officials have not said whether any local accounts have been misused, leaving families with a narrow but real risk: the information exposed may not be enough for a full identity-theft case on its own, but it can still feed targeted fraud against students and employees.