On 3 May 2026, the ShinyHunters extortion group posted a claim on its leak forum announcing a successful breach of Instructure, the US-based company behind the Canvas learning management system used by universities and higher education institutions globally. Instructure confirmed on 5 May that user data had been stolen and that information from affected institutions had been compromised. The breach affects approximately 15,000 institutions across North America, Europe, and Asia-Pacific. Among them are Swiss federal universities, universities of applied sciences, and cantonal institutions that rely on Canvas as their primary digital learning environment. For Swiss higher education data protection officers and administrators, Instructure's confirmation on 5 May started a notification clock that may already be in its final hours.
What Was Stolen and How ShinyHunters Operates
Instructure's public statement describes the compromised data as "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers." This framing, standard in breach disclosures, describes the confirmed minimum, not the confirmed maximum. Canvas as a platform stores considerably more than registration metadata: learning activity logs, assignment submissions, grading records, communication history, and — depending on institutional configuration — LTI application credentials, OAuth integration tokens, and single sign-on metadata linking Canvas accounts to federated identity systems such as SWITCH edu-ID or Microsoft Entra ID.
ShinyHunters is one of the most documented extortion groups operating at this scale. The group claimed breaches at Snowflake (2024), Ticketmaster (2024), and AT&T (2024), all of which were confirmed and all of which involved large-scale data exfiltration from cloud-hosted environments. The group's consistent operational model is large-scale theft followed by attempted private sale of the data, escalating to public release if payment is not made within the specified window. Institutions whose data is confirmed in the breach have a limited window before the information appears in secondary threat actor markets or is publicly leaked.
Swiss University Exposure
Canvas is deployed as the primary LMS at ETH Zurich, EPFL, Berner Fachhochschule, ZHAW Zurich University of Applied Sciences, Fachhochschule Graubünden, and a number of other Fachhochschulen and Pädagogische Hochschulen across Switzerland. These institutions collectively hold student and staff records for hundreds of thousands of current and former users, including EU nationals studying in Switzerland under exchange programmes and Swiss nationals enrolled at EU partner institutions who may have linked accounts.
For institutions using Canvas's SSO integrations with SWITCH edu-ID, AAI (Authentication and Authorisation Infrastructure) federation, or Microsoft Entra ID, the breach scope assessment must extend beyond Canvas account data. OAuth credentials, LTI integration tokens, and API keys that connect Canvas to external institutional systems should be treated as potentially compromised pending a complete scope assessment. If any of these credentials were stored within Canvas's infrastructure and exfiltrated, the blast radius extends to every connected system that has not yet rotated its credentials.
The combination of Swiss student records and EU-national student records at Swiss institutions creates a dual notification obligation structure. Swiss institutions storing personal data of EU data subjects are subject to GDPR's breach notification requirements under Article 33, because the regulation applies based on the location and nationality of data subjects, not the physical location of the controller. Simultaneously, nDSG obligations apply to all personal data processed under Swiss law. Both frameworks must be addressed, on timelines that are effectively aligned.
nDSG and GDPR: The Notification Framework
Switzerland's revised Federal Act on Data Protection (nDSG), in force since September 2023, requires data controllers to report breaches to the Federal Data Protection and Information Commissioner (FDPIC) when the breach is likely to lead to a high risk to the personality or fundamental rights of data subjects. The nDSG does not specify an absolute hour-based deadline in statute, but FDPIC guidance directs that notification should occur "as quickly as possible" and practice aligns with the 72-hour standard established by GDPR. For a breach of this scale and the confirmed involvement of a group with a history of public data release, the "high risk" threshold is met.
GDPR Article 33 requires notification to the competent supervisory authority within 72 hours of the controller becoming aware of the breach. "Aware" is legally defined as the point at which the controller has reasonable certainty that a breach has occurred — not when a full investigation is complete. Instructure's public confirmation on 5 May 2026 constitutes the trigger date for Swiss institutions that learned of the breach through that disclosure. For institutions whose data is confirmed in scope, the 72-hour window closed on 8 May. For institutions still assessing whether they are in scope, the clock runs from the moment they reach reasonable certainty that they are.
GDPR Article 34 further requires individual notification to data subjects whose data has been compromised when the breach is likely to result in high risk to those individuals. For a dataset that includes names, email addresses, and identifiers that ShinyHunters may sell or release, individual notification is required. For institutions with tens of thousands of students in Canvas, this is a significant operational effort requiring prepared communication templates, defined distribution channels, and legal review before dispatch.
◆ Key Takeaway
The notification clock started on 5 May when Instructure confirmed the breach. Swiss universities that cannot determine within 24 hours whether their institution is in the compromised dataset must treat themselves as in scope and initiate the FDPIC and relevant GDPR supervisory authority notification process. Waiting for Instructure to provide a definitive affected-institutions list is not consistent with either nDSG or GDPR notification timelines.
Third-Party Processor Obligations and What the DPA Requires
The Instructure breach is a canonical third-party processor incident. Instructure is the data processor; Swiss universities are the data controllers. The legal reporting obligation falls on the controller. Instructure's breach notification to affected institutions starts the controller's clock — it does not satisfy the controller's obligation to report to supervisory authorities. This distinction is consistently misunderstood in third-party breach scenarios and consistently leads to controllers reporting late because they waited for the processor to "handle it."
Swiss institutions should use this incident to audit their Data Processing Agreements with Instructure and, by extension, with all other SaaS providers handling personal data. GDPR Article 28 requires DPAs to include specific obligations: the processor must notify the controller of a breach "without undue delay," and the DPA must specify security measures, sub-processor disclosure requirements, and the processor's obligations regarding data subject rights. Institutions whose Canvas DPAs predate nDSG's entry into force in September 2023 may have agreements that do not satisfy current requirements for either framework. This incident is the appropriate trigger for a comprehensive DPA audit across all institutional SaaS relationships.
- Contact Instructure immediately to confirm whether your institution appears in the compromised dataset — do not assume you are outside scope based on size or geography.
- Assess nDSG and GDPR notification obligations: if confirmed in scope or if reasonable certainty exists, notify the FDPIC and the relevant EU supervisory authority; do not wait for a complete forensic investigation before notifying.
- Rotate all Canvas LTI integration tokens, OAuth credentials, and API keys connected to external institutional systems as an immediate precautionary measure.
- Assess SWITCH edu-ID, AAI federation tokens, and Microsoft Entra ID integration credentials — treat any identity federation credentials exposed to Canvas as potentially compromised and rotate them before investigating scope.
- Prepare individual breach notifications for students and staff whose data may be in the compromised dataset, in compliance with GDPR Article 34 and nDSG individual notification obligations.
- Audit your DPA with Instructure for compliance with GDPR Article 28 and nDSG requirements — processor notification obligations, security commitments, and sub-processor disclosure must all be present and current.
- Use this incident as the trigger to review DPAs with all SaaS processors holding institutional personal data — assess breach notification clauses, security obligations, and data residency commitments across your full vendor estate.
The Canvas breach is not primarily a story about a US education technology company. It is a story about institutional data entrusted to a processor, and the notification and response obligations that fall on the data controller when that processor is breached. Swiss higher education institutions that have not reviewed their third-party data processing frameworks since nDSG entered into force in September 2023 have a defined action item. The next breach may involve a processor with a slower disclosure timeline than Instructure demonstrated. Knowing your DPA obligations before that happens is significantly easier than learning them under a 72-hour reporting deadline.