Canvas Had Every Certification. The Certifications Caught Nothing

ShinyHunters breached Instructure, the parent company of Canvas, on April 30. Same crew behind Ticketmaster, AT&T, McGraw-Hill, Infinite Campus, Amtrak. Same Salesforce attack surface they exploited in the September 2025 breach of the same company. Eight months. Two breaches. 3.65 terabytes. 275 million students and teachers. Nearly 9,000 institutions named, Harvard, Stanford, MIT, Penn, Princeton, Duke, Berkeley, Columbia, Georgetown. Ransom deadline May 12.

Now look at what was on the wall when the door opened. SOC 2 Type II. ISO 27001:2013. PCI DSS 4.0.1. TX-RAMP. TRUSTe Enterprise Privacy. FERPA-by-design. GDPR. All renewed in December 2025, three months after the first breach, four months before the second. Every certification this market knows how to ask for was in place.

The question every audit committee chair, every CIO, every general counsel reading this needs to answer tonight, did your university actually read the report? Did anyone read the description of the system and notice the corporate Salesforce tenant holding customer data may be carved out of scope? Did anyone read the Complementary User Entity Controls and assign that work back to your own team? Did anyone read the subsequent events disclosure on the December renewal and ask what the September breach meant for the control environment? Did anyone trace the data flow end to end?

The honest answer is procurement filed the report and called it diligence. And that is not procurement’s fault, it is the structural failure of an attestation framework written by accountants for accountants, against criteria that drift years behind the threat landscape, executed at scale by junior staff who have never sat across the table from a threat actor or run a tabletop against a real adversary playbook. The opinion is clean. The criteria are academically defensible. The threat model is a decade out of date.

The next generation of assurance is scenario-driven. What would a ShinyHunters voice phishing campaign do against your help desk this quarter? Where does your customer data actually flow once it leaves the LMS? What happens when the corporate CRM is the soft target and the production environment is a distraction? That is the work, done by senior practitioners who have lived through breach response and red team engagements, not by twenty-six-year-olds with a checklist and a sample size of twenty-five.

If your firm is still buying the book exam, the SOC 2 binder, the ISO certificate, the PCI AoC in the procurement folder, and calling that risk management, you are the next institution on the public victim list. You have just not been named yet.

Call TRM when you are ready to look at your environment instead of studying for the test.