CFA Responds to Canvas Data Breach and Outage
Last week, there was a national data breach with the Canvas system used by faculty across all CSU campuses. CFA is in communication with CSU management regarding the Canvas cybersecurity incident.
It is deeply concerning that a learning management system the CSU pays millions for and encourages faculty to use failed so completely. CFA is demanding a meet and confer with management to get more details, find solutions, and hold them accountable. CFA also reproposed in bargaining that the CSU commit to data security and privacy protections for faculty. The protections our union seeks are more important than ever.
As a union, we know that this Canvas outage is deeply disruptive, and we are troubled about any possible compromise of highly sensitive data. The hacker group behind the cybersecurity incident said it stole data associated with 275 million users – including students, teachers, and staff – at nearly 9,000 schools around the world. Systemwide, CSU management says they are working with Instructure, the vendor that provides Canvas, to determine the full scope of impact.
For Article 37 in our contract on Health and Safety, the CFA Bargaining Team proposed: “In the event of an electronic system or physical facility breach resulting in the potential loss of, or disclosure of, personally identifiable information to an outside party, the CSU shall notify the affected employees and CFA as soon as practicable after becoming aware of the breach. This notification shall include the nature of the breach and a description of the data potentially lost or disclosed.” (You can read the entire proposal here.)
The Chancellor’s Office’s labor representative referenced the Canvas incident in a quick phone call with CFA that was otherwise intended to address bargaining room access. Had we not already been discussing building access and times to meet, the CSU would not have supplied official notification.
Still, the notification was insufficient: it provided no more information than we saw online. It was not the kind of notice we’re looking for in bargaining.
CSU management has paid Canvas’ parent company, which is called Instructure, at least $31.5 million in the last five years, according to the CSU’s purchase orders portal. It’s also worth noting that a private equity firm that the CSU Foundation also invests in, which is named KKR, bought Instructure for $4.8 billion in 2024. Instructure and CSU management must agree to solutions to protect student and faculty data, and CFA members will hold them accountable.
“Profit and education have no business being tied together,” said Alejandro Villalpando, CFA Los Angeles Council for Racial and Social Justice Representative and CSU Los Angles professor. “This is another example of the dangers of monopoly capitalism and how everyone is impacted when things long envisioned as a social and public good become overly reliant on capitalists to run its logistics.”
Canvas’s failure forces faculty to pick up the billion-dollar company’s slack. Corwin Bowen, CFA Los Angeles at-large representative and CSU Los Angeles professor, said the Canvas outage caused extra work for her.
“Hundreds of panicking students are emailing me asking me to send them materials from Canvas,” Bowen said. “It’s not their fault. It’s the university’s fault for privatizing public education.”
The Canvas data breach and outage is also troubling as the CSU makes huge payments to artificial intelligence (AI) companies. These technologies are also vulnerable to hacking and CFA members are still alarmed over how the CSU spent $17 million on the AI Initiative with OpenAI without faculty consent. Coincidentally, just last year, Instructure partnered with OpenAI to embed generative AI directly into Canvas.
At the bargaining table, we introduced a new stand-alone article on AI that affords faculty protections and opportunities. Our proposal includes protections for using or refusing to use the technology, professional development resources to adapt pedagogy to incorporate the technology, and further protections for faculty intellectual property.
It is unclear how the Canvas outage will impact faculty’s ability to assign grades or other work on time, or if work will be required after the academic year is over. Our union is aware that the last day of those on academic year contracts is approaching and we will continue talking with management about the impacts of the Canvas outage.
“The last day of my contract is May 23, 2026, and I am not getting paid to extend my contract and work beyond that day to fix a problem for a billion-dollar company,” said Sarra BenGhorbal, CFA Los Angeles lecturer council representative and CSU Los Angeles lecturer.
Finally, we want to be in touch with any faculty members who are negatively impacted in the coming days and weeks. Please reach out to your campus CFA chapter if you need assistance and advice from the union.
We will share updates as we are able.
Join California Faculty Association
Join thousands of instructional faculty, librarians, counselors, and coaches to protect academic freedom, faculty rights, safe workplaces, higher education, student learning, and fight for racial and social justice.