Notice of Canvas Security Incident

May 8, 2026

ACR has been notified by Instructure, the parent company of Canvas (a learning management system used by ACR), that Canvas experienced a cybersecurity incident involving unauthorized access to certain data affecting over 9,000 institutions around the world, including ACR.

Based on information provided by Instructure, the affected information for impacted institutions includes names, email addresses, student ID numbers, and messages among Canvas users. Instructure has stated that there is currently no evidence that passwords, dates of birth, government-issued identifiers, or financial information was involved.

The ACR IT Security team is actively monitoring Instructure’s Security Incident updates as they become available and assessing any potential impact on ACR systems and data.

At this time, Instructure has indicated that no specific action is required for impacted users. Nonetheless, we encourage you to remain vigilant. As always, please be cautious of unsolicited emails or messages that appear to come from Canvas or ACR, especially those requesting login credentials or personal information. Report anything suspicious to compliance@acr.org. ACR will update this notice as warranted.