Q&A: What the Latest Canvas Breaches Mean for Third-Party Risk

Although I work in cybersecurity, I’m also a parent of children whose school uses Canvas. That made this breach feel especially personal. As professionals, we understand the risks that come with living and working online. But when it involves our children’s information, the stakes feel very different. Our kids trust us to keep them safe, and that includes protecting their personal data. We wanted to better understand what happened, what organizations should be learning from these repeated incidents, and what security leaders need to consider when it comes to third-party risk, vendor dependency, and operational resilience. To explore those questions, I spoke with Zach Lewis, CIO and CISO at the University of Health Sciences and Pharmacy, who shared valuable insight into the broader implications of these attacks and what institutions should be doing now to strengthen their defenses.

Q: For readers unfamiliar with your background, can you share a little about your experience in cybersecurity?

Zach Lewis: I’m the CIO and CISO for the University of Health Sciences and Pharmacy, and I’ve been in that role for seven years. I’ve spent many years working in higher education technology, and before that I worked in tech startups, the energy sector, and consulting. I also wrote a book called Locked Up, which covers a real-world ransomware attack and everything that happened before, during, and after the incident.

Q: What was your reaction when reports emerged that the same LMS provider experienced another major incident so soon after the previous breach?

Zach Lewis: I was following the attack very closely. Initially, it sounded like the organization believed it had contained the issue, but then additional schools started reporting splash pages associated with the ShinyHunters group almost immediately afterward.

That raises difficult questions. One possibility is that attackers maintained persistence through previously established backdoors. Another is that they re-entered using similar tactics and created additional footholds during the first incident. Either way, it suggests the attackers had a strong understanding of the environment and likely spent significant time mapping the network.

The fact that the same group reportedly targeted the company multiple times means organizations should take a much closer look at whether defenses, monitoring, and remediation efforts are truly sufficient.

Q: Do you believe this points to failures in remediation or governance?

Zach Lewis: It could. If attackers were able to return immediately after the organization believed the environment was secured, that suggests either lingering persistence mechanisms, gaps in monitoring, or incomplete remediation.

Once threat actors spend several days inside an environment, they learn where systems live, how data flows, and where to place backdoors. That knowledge makes subsequent attacks easier.

Groups like ShinyHunters are highly disruptive because they understand how to exploit weaknesses quickly and repeatedly. Organizations need to assume attackers will try to regain access even after an incident appears resolved.

Q: What lessons should colleges and universities take away from these repeated incidents?

Zach Lewis: Institutions have to recognize that this is ultimately a business and risk-management decision. Canvas holds a massive share of the LMS market, so many schools depend heavily on it. The expectation now is that vendors will invest aggressively in strengthening their defenses.

But schools also need to think carefully about the type of information stored inside these systems. One of my biggest concerns is the content of private messages and direct communications. If attackers access those conversations, they can use the information to craft highly targeted phishing emails, text messages, and scams.

Practitioners should be thoughtful about what they place in written communications and where that information is stored. Sensitive discussions may be better handled in person or through secure conversations rather than leaving permanent records that could later be exposed.

Q: Could a similar attack happen to virtually any LMS or cloud provider?

Zach Lewis: Absolutely. Any critical system can potentially be compromised.

Every organization relies heavily on third-party vendors and cloud providers. Whether it’s an LMS, a cybersecurity platform, or another core service, vulnerabilities can exist anywhere. We’ve seen this before with incidents like the CrowdStrike outage, where organizations using alternative providers felt safe in the moment.

At the end of the day, these incidents come back to foundational cybersecurity practices:

• Patch internet-facing systems.
• Limit exposure of critical infrastructure.
• Maintain strong identity and access controls.
• Apply good data governance.

These are basic principles, but organizations across the industry still struggle with them.

Q: Beyond higher education, what should organizations be asking third-party vendors after a breach?

Zach Lewis: Vendor risk management can’t be a one-time assessment during onboarding. Organizations need continuous evaluation of third-party security.

You have to understand:

• What access the vendor has into your environment.
• What permissions exist.
• What data they can touch.
• What happens operationally if the vendor goes offline.

That last point is critical. Organizations need to test continuity plans regularly.

If a major system suddenly becomes unavailable, how do you continue operating? In higher education, that could affect final exams, grading, transcripts, and graduation timelines. Those disruptions create real downstream consequences for students, faculty, and administrators.

Q: What does this incident reveal about overreliance on digital systems?

Zach Lewis: Many institutions depend so heavily on these systems that they don’t have effective backup plans.

Interestingly, organizations often face a balancing act. During previous incidents I’ve dealt with, some professors kept separate spreadsheets of grades because they didn’t fully trust the LMS. But when those spreadsheets were later exfiltrated during a cyberattack, it created FERPA concerns because student data had been duplicated outside the primary system.

At the same time, if the LMS itself becomes unavailable, organizations still need a way to continue operating.

There’s no perfect solution. Every approach involves weighing operational needs against security risks.

Q: When a vendor experiences a breach, where does responsibility ultimately fall?

Zach Lewis: That often depends on contracts, the cloud service provider relationship, and who legally owns the data.

In many cases, the institution itself still owns and remains accountable for the data, even when a third-party platform hosts it.

That’s why organizations need to fully understand:

• Their contractual obligations.
• Data ownership responsibilities.
• Liability exposure.
• Vendor security expectations.

Cybersecurity leaders also need strong relationships with legal and compliance teams to understand those responsibilities before an incident happens.

Q: What security controls matter most today for reducing damage from third-party compromises?

Zach Lewis: Identity and access management remain some of the most important controls.

Organizations need to evaluate:

• Who has access.
• What level of privilege they have.
• Whether permissions are excessive.
• How third-party integrations connect into core systems.

The principle of least privilege is still one of the most effective defenses organizations have. The fewer unnecessary permissions and connections that exist, the less damage attackers can do if they gain access.

Final Takeaway

Repeated attacks against major vendors highlight a difficult reality for organizations across every industry: even trusted platforms can become targets.

For institutions, the challenge is no longer simply choosing the right technology vendor. It’s building resilient operations, understanding contractual and data responsibilities, continuously evaluating third-party risk, and preparing for the possibility that critical systems may temporarily fail.

As cyber threats continue evolving, the organizations best positioned to respond will be the ones that plan not only for prevention, but also for operational continuity when prevention fails.