Dear Students, Faculty, and Staff,
This is to inform you of a recent cybersecurity incident involving Instructure at all CSU campuses, the vendor that provides Canvas, the learning management system for the CSUEB, SFSU and SSU campuses.
We have been informed that the threat actor accessed data from many educational institutions worldwide stored at Instructure’s site that likely included information from the CSU. Instructure is still confirming what data may have been exposed, but based on their preliminary assessment, it may include personal information such as names, campus email addresses, student ID numbers, and user messages. At this time, neither Instructure nor we are able confirm whether any individual’s data was included. Canvas does not store passwords, Social Security numbers, financial information, or dates of birth.
Canvas remains fully operational, and there is no evidence of an ongoing threat. Instructure has contained the incident, remediated the vulnerability, and will continue to investigate in coordination with external forensic experts and law enforcement.
Out of an abundance of caution, we encourage all community members to remain vigilant for phishing or suspicious communications and to report any such activity to support@sfbrn.calstate.edu.
Password resets are not required at this time; we will notify you if that guidance changes.
We are continuing to work with Instructure to determine the full scope of impact and will provide updates, including resources for affected individuals, as more information becomes available at https://lts.calstate.edu/csu-canvas-incident-reports . If you have any questions or concerns, please contact the Network Support Center (https://www.sfbrn.calstate.edu/support) or your local Academic Technology Support.
Sincerely,
Thomas Dixon
Chief Information Security Officer
San Francisco Bay Region Network (CSUEB|SFSU|SSU)