Dear Students, Faculty, and Staff,
This message is to inform you of a recent cybersecurity incident involving Instructure, the vendor that provides Canvas, San José State University’s learning management system.
We have been informed that the threat actor accessed data from many educational institutions worldwide stored at Instructure’s site that likely included information from the CSU. Instructure is still confirming what data may have been exposed, but based on their preliminary assessment, it may include personal information such as names, email addresses, student ID numbers, and user messages. At this time, neither Instructure nor we can confirm whether any individual’s data at SJSU was included. Canvas does not store passwords, Social Security numbers, financial information, or dates of birth.
Canvas remains fully operational, and there is no evidence of an ongoing threat. Instructure has contained the incident, remediated the vulnerability, and continues to investigate in coordination with external forensic experts and law enforcement.
Out of an abundance of caution, we encourage all community members to remain vigilant for phishing or suspicious communications and to report any such activity to abuse@sjsu.edu.
Password resets are not required at this time; we will notify you if that guidance changes.
We are continuing to work with Instructure to determine the full scope of impact and will provide updates, including resources for affected individuals, as more information becomes available at https://lts.calstate.edu/csu-canvas-incident-reports. If you have any questions or concerns, please contact the IT Service Desk. We will share additional information as the CSU CO investigation continues.
Sincerely,
Chris Wessells, Interim Vice President for Information Technology and Chief Information Officer
Vincent Del Casino, Provost and Senior Vice President for Academic Affairs
