Canvas Security Incident

Update: May 11, 4:00 PM

Words matter, and can carry legal implications, especially when used incorrectly. At this moment, this is a vendor-related security incident.   

Below are a few tips on how to communicate about this matter:

1. What does “vendor-related security incident” mean?  Bellevue College’s infrastructure, email, passwords, ctcLink were not in scope or at risk; only the vendor’s infrastructure was. The bad actors gained unauthorized access to Instructure’s infrastructure, including thousands of Canvas LMS instances, affecting institutions globally.
2. Was this a data breach? We cannot speak to or confirm that until Instructure’s forensic investigation provides us with the specifics regarding our data. Please refrain from using such language and refer to this as a “vendor-related security incident.”
3. Is there a need to change my Bellevue College NetID or ctcLink credentials? At this time, we have no evidence that those passwords were exposed, but users are free to change them if they feel the need to be overly cautious.
4. I’m a student, and I have questions about deadlines or assignment submissions: Please address your questions to your instructors.
5. I’m a faculty member who needs assistance: Please connect with eLearning for tips on how to update coursework and assignment due dates, grant extra assignment or test attempts, export course content, and more.
6. Concerned about sensitive information shared within the Canvas platform? Feel free to reach out directly to Bellevue College’s Dean of Student Support Megan Kaptik or Bellevue College’s IT Security Manager Agnes Figueroa. If disability specific, reach out to the Disability Resource Center.

Update: May 8, 10:03 AM

Canvas services have been restored for Bellevue College users. If you are still encountering issues logging in, please clear your browsers cache and cookies then close your browser. If you are still encountering issues after that please submit a ticket separately and we can assist you.

Update: May 8: 12:53 AM

Instructure has posted additional information about the incident on its website. View Instructure’s Incident Website.

Update: May 7, 4:57 PM

Instructure, the company that operates Canvas, recently notified Bellevue College that an unauthorized third party obtained data associated with our Canvas environment. Based on what Instructure has shared so far, the data involved may include some personal information, but Instructure has not yet provided details about what was obtained or what accounts at our college were affected.  

Instructure has stated publicly that names, email addresses, student ID numbers, and user-to-user Canvas messages were potentially involved across the broader incident. Instructure has also reported no indication that passwords, dates of birth, Social Security numbers or financial account information were involved. If Instructure’s findings change, we will update affected community members.   

As good general practice, please be alert to unexpected emails, text messages, or phone calls that ask for personal information or that direct you to log in through unfamiliar links. If you receive a message that looks suspicious, mark it as spam, do not click links in it, and submit a ticket if you need assistance.

We will share additional information as confirmed details become available. Thank you.  

Original Post: May 7

Bellevue College is sharing information on a security incident involving Canvas, the learning management system used at our college and at colleges across the country. 

Instructure — the company that operates Canvas — recently notified Bellevue College that an unauthorized third party obtained data associated with our Canvas environment. This incident was not specifically directed at Bellevue College. Instructure serves many institutions, and this appears to be a vendor-driven incident affecting multiple education customers. Instructure has stated that the broader incident affected many institutions in the United States.

Federal law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has been notified by Instructure. 

What was involved at our college: Based on the information Instructure has provided to us so far, the data involved may include personal information; however, Instructure has not yet provided the exact data elements or affected user count for our college. Instructure has stated publicly that, across the broader incident, names, email addresses, ID numbers, and user-to-user Canvas messages were potentially involved. We have asked Instructure to confirm specifically what was involved, including whether Canvas messages were affected and how many users were impacted, and we will share additional information as we receive it. 

What was reportedly not involved: Instructure has stated that there is no indication that passwords, dates of birth, Social Security numbers, or financial account information were involved. If Instructure’s findings change, we will update affected community members. 

What we are doing: Bellevue College is working with the State Board for Community and Technical Colleges (SBCTC), to press Instructure for additional information about what was specifically involved at our college. We will provide further updates on this page as additional confirmed information becomes available. 

Instructure has indicated that organization-specific resources, including identity-protection services for affected individuals, may follow. We will share details as they become available.

Anyone with questions can contact servicedesk@bellevuecollege.edu. Out of an abundance of caution, members of our community are encouraged to be alert to phishing attempts or unexpected messages requesting personal information.