Official Statement Regarding the Reported Canvas Infrastructure Security Incident

UPDATE (June 2026)

MSEUF has received additional information from Canvas (Instructure) regarding its ongoing investigation of the reported cybersecurity incident.

Based on the preliminary findings provided by Canvas (Instructure), the threat actor may have exfiltrated certain Canvas provisioning reports associated with the University's Canvas environment. According to Canvas (Instructure), the specific data involved varies across institutions and remains subject to further forensic analysis. At this time, Canvas (Instructure) has not yet finalized the exact number of affected users and continues to work with independent cybersecurity and forensic experts to determine the full scope of the incident.

For Manuel S. Enverga University Foundation, the preliminary information provided indicates that the affected reports may include user directory and enrollment-related information used for Canvas account provisioning and course management. Based on MSEUF’s review of the data fields identified by Canvas (Instructure) and the current Canvas implementation, the information associated with University users primarily consists of names, University email addresses, and University-issued student or employee identification numbers.

At present, there is no indication that passwords, financial information, government-issued identification numbers, social security numbers, free-text messages, academic submissions, uploaded files, or other sensitive personal records maintained by the University were included in the reports identified by Canvas (Instructure). However, the investigation remains ongoing, and MSEUF will continue to review any additional information provided by Canvas (Instructure) as it becomes available.

As a precaution, members of the University community are encouraged to remain vigilant against phishing emails, suspicious messages, or attempts to obtain account credentials by impersonating University offices or trusted service providers. Users should continue to follow recommended account security practices, including maintaining strong passwords and reporting any suspicious activity immediately.

MSEUF will continue to closely monitor the situation and coordinate with Canvas (Instructure) throughout the investigation. Additional updates will be published as soon as verified information becomes available.

 

Initial Statement

Manuel S. Enverga University Foundation is aware of the recently reported security incident involving the infrastructure of Canvas / Instructure.

At this time, the details of the incident remain under investigation by Canvas/Instructure, and there has been no official confirmation regarding the extent of the incident, the specific data involved, or whether the systems and data of Manuel S. Enverga University Foundation are affected.

The Information and Communications Technology Department (ICTD) and Data Protection Officer (DPO) are currently coordinating internal monitoring and reviewing relevant system activities as a precautionary measure while awaiting further official updates from Canvas/Instructure. We are closely monitoring the situation to ensure the continued protection and security of university systems and user accounts.

As a precaution, we strongly encourage all students, faculty, employees, and other users of the university’s Canvas platform to observe the following security practices:

• Immediately change your Canvas password, especially if the same password is used on other platforms or services.
• Enable Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) whenever available.
• Be cautious of suspicious emails, login pages, messages, or requests asking for account credentials or personal information.
• Monitor your university and personal accounts for any unusual or unauthorized activity.
• Avoid reusing passwords across multiple platforms and services.
• Report any suspicious activity or potential account compromise immediately to ICTD.

ICTD will continue to coordinate with Canvas/Instructure and provide updates to the university community as soon as verified information becomes available.

For any concerns related to data privacy, account security, or the possible exposure of personal information in connection with the reported incident, users may coordinate directly with the University’s Data Protection Officer (DPO) through email at dpo@mseuf.edu.ph. The University remains committed to protecting the privacy and security of personal data in accordance with applicable data privacy regulations and institutional policies.

We thank everyone for their cooperation, vigilance, and understanding.

Manuel S. Enverga University Foundation