Dear Salt Lake City School District community, 

Instructure, the provider of the Canvas learning management system, has informed us that they experienced a nationwide cybersecurity incident on Saturday, April 25. Instructure notified the district on May 5 that district information was included in that incident. Please note this was not a security lapse in district IT systems.  

Reports indicate that data from 275 million users (including students, teachers, and other staff) has been affected, including data from the Salt Lake City School District and other school districts in Utah. Instructure has reported that “the attackers gained access to personal information such as names, email addresses, and student ID numbers. User messages were also compromised” and “at this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.” 
 
I want to stress that this breach involves Instructure’s systems and platforms and is not the result of Salt Lake City School District’s systems and security procedures.  

We are waiting to receive additional information from Instructure but wanted to inform our community. We will pass on any details to you as soon as we receive them. You can also monitor Instructure’s updates directly on their website. 
 
We will be in touch with you as soon as we know more. In the meantime, you may submit any questions to our Chief Information Officer via this online form. 

From Instructure about the April 25 incident:

“On April 25, 2026, Instructure experienced a cybersecurity incident perpetrated by a criminal threat actor. We detected the attacker on April 29 and immediately revoked the access. On April 30, as the investigation expanded, we revoked additional suspicious access and addressed the underlying vulnerability. We have found no indicators of an ongoing threat.

Actions we have taken
From the moment we detected this malicious activity, we moved quickly to protect our platform and learn what happened. We:

• Engaged a leading third-party forensics firm to support our investigation
• Notified law enforcement, including the FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners
• Disabled the compromised accounts and revoked all associated access and tokens
• Remediated the underlying vulnerability and deployed platform-wide protections
• Rotated internal keys and restricted token creation pathways across the platform”

From Instructure about the May 7 incident:

“On May 7, an unauthorized actor made changes to the pages that appeared when some students and teachers were logged in. We quickly identified this unauthorized activity and immediately took steps to contain it, including temporarily taking Canvas offline into maintenance mode as a precaution to prevent further unauthorized access. Working in coordination with our independent forensics partner, we have found no evidence that the unauthorized actor established persistence, obtained credentials for accounts within your institution, or exfiltrated any additional data.”

Currently, we are working with Instructure to determine the extent of the incident.  More information will be posted following our investigation.

On Tuesday, January 7, PowerSchool, our student information system provider, informed us of a cybersecurity incident on their systems that may have affected all PowerSchool customers.  Salt Lake City School District uses PowerSchool student information system to store education records about district students.

Yesterday, January 8, we attended a webinar with PowerSchool and confirmed that our system was affected. It appears that unauthorized access was gained to our student information system. 

This breach involves PowerSchool’s systems and platforms, and is not the result of Salt Lake City School District’s systems and security procedures. 

While we are still assessing the full extent of the breach, we believe the intruders accessed both student and teacher data. The teacher data includes basic information like ID, name, email, and title. The student data includes demographic details such as:
 

• student ID
• Utah state student ID
• name
• birthdate
• current school ID
• current school enrollment dates
• grade
• locker number
• locker combination
• current lunch balance
• home and mailing address
• guardian name and  contact information
• emergency contact information
• free and reduced meal status
• medical alerts

Social security numbers were not involved and the District does not store any social security numbers in PowerSchool.  

Salt Lake City School District IT staff have confirmed that the threat has been contained, and the intruder no longer has access to our system. 

PowerSchool is working with cybersecurity experts from CrowdStrike to investigate further. We expect to have more information over the next two weeks and will provide updates as we receive additional information.

PowerSchool will be providing credit/identity monitoring services to affected individuals.

At this time, we do not believe any other systems within the Salt Lake City School District were affected.