No, Colleges Can’t Just Quit Canvas

In the span of two weeks, a massive data breach poisoned the reputation of higher education’s dominant learning management system, Canvas. Not only did the hack compromise the personal data of some 275 million users and disrupt finals week at universities across the country, Canvas’s parent company, Instructure, is also facing a barrage of lawsuits and a congressional investigation.

Canvas got back up and running after Instructure paid a ransom to ShinyHunters—the cybercrime gang that has hacked Canvas three times in the past year—to recover the stolen data, against conventional cybersecurity wisdom. While the move brought immediate relief to users, it also generated further frustration from many faculty members and students who remain skeptical that their data is safe. And in the fallout, some have suggested switching to another platform or building their own LMS.

Despite all that, numerous experts told Inside Higher Ed that the public ire directed toward Canvas—which is used by 41 percent of higher education institutions across North America to deliver courses—likely won’t be enough to topple its effective rule of the third-party LMS market; the second-most popular LMS, Blackboard, has about 17 percent of the market share.

“Of course it’s going to damage their reputation, but I’m having trouble thinking of a time when a major security incident has truly had long-term fiscal impacts on a company,” said Mike Corn, a strategic technology consultant and former chief information security officer for the University of California, San Diego. “It’s a lot of work for an institution to change their learning management system, because they have thousands of classes that need to be ported over. It’s typically a two- to three-year process.”

That tracks with data from Inside Higher Ed’s 2026 Survey of Campus Chief Technology/Information Officers, which found some dissatisfaction with the LMS status quo even prior to the recent breach—coupled with a commitment to these systems as infrastructure. According to the survey, roughly half of CTOs said students and faculty are increasingly using tools outside their LMS for teaching and learning (47 percent), and they said their institution needs better integration between administrative and learning systems to improve student success (57 percent). Some 12 percent of CTOs reported actively exploring alternatives to their current LMS models.

At the same time—in a reflection of how institutions have come to rely on these systems to deliver courses—92 percent of campus tech leaders said the LMS remains the central hub of their digital learning ecosystem. Nearly the same share said the LMS will remain essential for institutional compliance and data needs, regardless of pedagogical trends. (The survey was finalized before the cybercriminals twice infiltrated Canvas earlier this month, but after a prior attack on Instructure’s Sa l esforce instance.)

And even if the Canvas hack does push some colleges and universities to embark on the laborious process of changing LMS providers, there’s no guarantee that others aren’t vulnerable to a similar attack. That’s in part because very few, if any, colleges and universities have the resources to properly evaluate a product’s security systems. Instead, they “just have word of mouth and contractual language as to what a company is doing in terms of security,” Corn said. “The only solution to this is legislation that requires companies by law to use modern best practices.”

But that’s a difficult proposition in the current, regulation-averse political environment, even as the White House is reportedly signaling greater interest in artificial intelligence oversight. In any case, Corn and others said Instructure isn’t the only organization that should be reflecting on the incident, which is considered the largest education security breach on record.

“This is a real wake-up call that is broader than Instructure or the LMS,” said Phil Hill, an education-technology market analyst. “Universities need to think about academic continuity and how they can keep their university running if something happens.”

Builder Beware

But the answer for most universities isn’t abandoning a third-party LMS and attempting to build one in-house. That’s partly because most institutions don’t have the IT staff to build and manage an LMS, much less protect it from sophisticated cybercriminals.

According to Inside Higher Ed’s CTO survey, 62 percent of campus tech leaders said they worry their institution won’t be able to recruit or retain qualified IT talent in the coming years, while 59 percent are also worried about a critical cybersecurity breach or ransomware event.

“There may be a groundswell of people asking for [an in-house LMS], but colleges would be crazy to do it,” Hill said, adding that even if a few well-resourced universities could afford to make it happen, that doesn’t mean they should. “If I were an administrator, I don’t want to be the person who gets called before Congress after a data hack because we developed our own infrastructure. In the case of a Canvas hack, there’s a corporation [Instructure] that’s taking on that risk for universities. It’s a two-edged sword.”

But shielding universities from the chaos of this month’s Canvas hack doesn’t have to be an “all-or-nothing” approach, Hill added.

“Universities might decide to only use their corporate LMS for the basics, but move their exams somewhere else or integrate more deeply with Google Docs, for example,” he said. “That weakens the position of the LMS. Universities need to have these contingency plans.”

Robert Talbert, a mathematics professor at Grand Valley State University who has written books and articles about teaching innovations, said he also hopes the Canvas hack has shown universities why it’s important “not to get too married” to their LMS.

“They’re great until they aren’t. They’re just another piece of technology that is prone to failure, vulnerabilities and going south at the worst possible moment,” he said. “Use them well but lightly.”

Talbert added, “Don’t make the entire academic mission of a university dependent on the uptime of someone else’s technology that you don’t have control over.”

But as thousands of students and faculty experienced firsthand, most institutions aren’t yet prepared for their LMS—which is also a primary mode of communication between faculty and students—to go down unexpectedly.

“When this happened, I didn’t have access to Canvas. My students didn’t have access to Canvas. There was this giant question of ‘What do we do?’” said Jason Gulya, a professor of English and media communications at Berkeley College whose research focuses on the role of technology in higher education. “Many instructors didn’t know how to pivot, because for years we’ve been taught that everything goes on the LMS. So when something like this happens and you don’t have a plan B, C, D or E, you just have to throw your hands up.”

Limits, Trade-Offs

Despite that heavy reliance on the LMS—whether it’s Canvas, Blackboard, Moodle or others—the rise of generative AI is exposing its limitations.

“Many of us faculty do rely on it to communicate with students and keep track of grades,” Gulya said. “But to get to the learning part in the age of AI, I’ve been forced to look at other tools.”

For example, discussion boards in an LMS can be hotbeds of AI overuse and misuse. The same goes for quizzes, which students can easily game using generative or agentic AI. To combat that, Gulya said he’s now far more likely to have students mark up a live Google Doc in lieu of a discussion board or interact with a custom chatbot built via Playlab over a traditional quiz.

“Sometimes the tools within the LMS are so limited and have been around for so long,” he said, that “even if you try to reclaim something like the discussion board from the overuse of AI, it’s hard because students are used to thinking about it in a certain way.”

Nonetheless, these systems have made accessing education far more efficient than the analog and disjointed digital learning platforms of yesteryear.

“You gain and you lose things with the introduction of digital technologies and, in respect to forms of provision like online education, there are clearly benefits that have been derived by many, many people in terms of access to education,” Neil Mosley, a digital education consultant based in the United Kingdom, said in an email to Inside Higher Ed. “But growing technological sophistication ultimately exposes us to vulnerabilities that we simply cannot neglect.”

He underscored that reducing reliance on an LMS in an effort to minimize those vulnerabilities comes with “genuine trade-offs and real implications.”

“Running everything yourself, or to differing degrees, can be both difficult and expensive and may, under some circumstances, increase the risks,” Mosley said. “The grass is not always greener. Cost, both financially and in terms of labour, is a real consideration here and, let’s be honest, we’re hardly going through a golden age of higher education finances.”

Source by [author_name]