Key Takeaways
|
What happened with Instructure/Canvas?
Instructure, the company behind the Canvas learning management system, recently disclosed a cybersecurity incident involving unauthorized access to certain user data. Reported data included names, institutional email addresses, user IDs, course and enrollment information, and messages.
While passwords and financial information were not the primary concern, the exposed data still matters. Attackers can use real names, emails, relationships, and messages to make phishing attempts more convincing. A message referencing a real school, course, department, or prior communication is much more likely to be trusted than a generic scam.
Why this matters beyond education
Although the incident affected schools and universities, the same risk applies to businesses that rely on SaaS platforms every day.
Organizations use tools such as Microsoft 365, Google Workspace, Salesforce, Workday, NetSuite, ServiceNow, payroll systems, and customer portals to manage communication, finance, HR, operations, customer data, and workflows.
These systems often contain a working map of the business: who works there, who has authority, who communicates with whom, and which messages are likely to be trusted. In the wrong hands, that information can support phishing, business email compromise, vendor impersonation, social engineering, and attacks against connected systems.
A breach does not have to start inside your network to create risk for your organization.
Protect Your Organization with a Security Assessment
Where organizations become exposed
Many companies share more information with SaaS vendors than they realize. Some data is necessary. Some may have been shared during implementation and never reviewed again.
Over time, this creates data and identity sprawl. Information spreads across applications, integrations, reports, exports, and archived records. Employees change roles, contractors leave, vendors complete projects, and temporary access can quietly become permanent.
Threat actors look for these weak points. They may not need to break through a firewall if they can exploit an overlooked account, exposed integration, or trusted platform with useful user data.
What organizations should do now
The answer is not to stop using SaaS platforms. It is to manage them with more visibility and discipline.
Start by identifying what data your organization shares with critical vendors. Determine what is required, what is optional, how long it is retained, and whether it is still needed.
Then review access. Pay close attention to administrators, former employees, inactive users, contractors, vendors, service accounts, API access, and third-party integrations. Access should reflect current business needs, not historical convenience.
Organizations should also evaluate whether they can detect unusual behavior quickly, including abnormal logins, large exports, unexpected API activity, unauthorized admin changes, or activity from accounts that should no longer be active.
Finally, include SaaS platforms in third-party risk reviews. Vendor assessments should address data minimization, access controls, logging, breach notification, incident response, and integration security.
A better question for leadership
The Canvas breach is a reminder that contextual information can be enough to create real risk. Names, emails, IDs, messages, and relationships can help attackers sound credible and target users more effectively.
The question is not only, “Was sensitive data exposed?”
It is, “Could the exposed information help someone target our organization next?”
The strongest organizations know where their data lives, limit unnecessary sharing, review access regularly, and treat SaaS platforms as part of their security perimeter.
Secure the information you share with SaaS platforms
The next breach may not start inside your organization, but it can still put your data, people, and operations at risk. Connect with UHY to evaluate your third-party, SaaS, and identity security posture before attackers find the gaps first.
Assess Vendor Data Security Concerns
Contact Our Technology Risk and Compliance Team
Complete this form to connect and evaluate your third-party, SaaS, and identity security posture
By submitting this form, you agree to be contacted by UHY.