Instructure, which provides the learning platform Canvas to many Norwegian educational sector, was subjected to a targeted cyberattack during the period 25–30 April 2026. The attack was discovered on 29 April. 

MF purchases Canvas through Sikt (a service provider for the knowledge sector). Nearly all colleges and universities in Norway use Canvas. 

Instructure has uncovered that a criminal actor copied personal data from one of their systems, extracted information, and is demanding ransom. Instructure has now confirmed that data belonging to MF Norwegian School of Theology, Religion and Society is also included in the attack.

The information includes:

  • Name 
  • Email address 
  • Student identification numbers 
  • Messages between users in Canvas 

MF has notified the Norwegian Data Protection Authority (Datatilsynet) about the incident. 

MF transfers as little personal data as possible to Canvas; therefore, passwords, national identity numbers, etc. are not stored in Canvas and have not been affected. 

Some details are still unclear. Instructure is continuing its investigation and is taking the situation seriously. The security vulnerability on their side has been closed. They have notified the FBI, CISA, and international law enforcement authorities. Instructure is based in the United States, but customers around the world are affected. 

Sikt is updating information about the incident on its website. 

What consequences could this have for you?

The most important issue to be aware of is an increased risk of phishing and threats. 

MF therefore asks all current and former Canvas users to be particularly attentive to possible phishing attempts and scams in the coming period, as information from the breach may be misused for this purpose. Typical examples include convincing fake messages appearing to come from Canvas, MF, Sikt, or Feide. The goal may be to trick you into providing your password on a fake login page. 

If you have sent or received messages via the “Canvas Inbox,” the content of these messages may also have been compromised. If you have shared sensitive information there, you should be aware of this.

What should you do?

  • Be especially critical of emails and messages asking you to log in with Feide or provide your password, particularly in the coming weeks. 
  • Always check the sender’s address and links before clicking. Prefer navigating directly to known websites using your own bookmarks. 
  • If you are unsure whether an inquiry is legitimate, contact it@mf.no 

What has MF done? 

  • We have notified the Norwegian Data Protection Authority about the incident. 
  • We are actively following up with Instructure and Sikt to obtain more detailed information and will keep you updated.
  • We are monitoring activity logs.
  • We have not paid and will not pay ransom to criminals.
  • Instructure has rotated keys and implemented other measures to limit further attacks. 

Spørsmål?

If you have questions, you may contact:

Ina Nepstad

Data Protection Officer
personvernombud@mf.no

Agnes Ellinor Skagemo

Director
Agnes.Skagemo@mf.no

Lars Moe

IT-director
Lars.Moe@mf.no