Glasgow School of Art Goes Dark as Education Breaches Surge

Staff and students at the Glasgow School of Art (GSA) lost access to their email and online services in late May, days into degree show week, the busiest stretch of the institution’s calendar. The art school has called it a temporary IT disruption and has not confirmed whether a cyberattack was involved.

That might pass for routine in an ordinary year. The timing made it worse. Just weeks earlier, the learning platform used by GSA and nearly 9,000 other institutions worldwide had sat at the centre of the largest education data breach on record, and a fresh UK government survey had found that almost every higher education body in the country was breached or attacked in the past year.

Locked Out at Garnethill

The most visible sign of trouble was a queue. With email and other GSA services down, staff had to line up outside the art school’s Rose Street finance and IT offices to get their passwords reset by hand, an unusually analogue fix for a digital problem.

Reporters from local outlet The Bell spoke to eight people around the Garnethill buildings, and every one described the same thing: no access to email or GSA online services, and little explanation. One interaction design student said he had received “no access to communication” from the school about the cause. Two marketing staff shrugged it off as “an inconvenience”. What none of them could get was a straight answer, and for several days no one would say whether it was an attack or a simple outage.

When approached, a GSA spokesperson kept the language vague, stopping short of using the word cyberattack at all. The full statement, relayed through the school’s Glasgow School of Art media centre, read in part:

The school experienced some temporary IT disruption over the weekend and has been keeping staff and students updated as a matter of course as we resolve this. Our IT team are currently investigating the cause of the disruption, but systems are now returning to normal.

Why the Blame Landed on Canvas

Two students leaving Rose Street were more confident. They told The Bell this was a “big” cyberattack, though not one aimed specifically at GSA, and pointed to the breach of Canvas earlier in May. GSA does lean on the platform heavily, using it for everything from reading lists to technical support, so the link felt intuitive.

Canvas is the learning management system (LMS, the software that hosts course material, grades and student messaging) run by US company Instructure. In late April and early May it suffered an intrusion that quickly became the worst incident the education sector has seen.

How the Breach Unfolded

According to Instructure’s official incident update on the Canvas breach, the attack ran in two waves over roughly two weeks:

1. Around 25 April, intruders reached Instructure’s systems through a flaw tied to its free teacher accounts.
2. On 29 April the company detected the access, cut it off and brought in forensic investigators.
3. By early May it had confirmed data theft and disclosed the incident publicly.
4. On 7 May the same actor struck again, posting a ransom message on Canvas screens; the platform was pulled offline within about ten minutes and restored on 9 May.
5. On 11 May Instructure announced a deal with the attackers, who returned the data and supplied “shred logs” as proof of deletion, a day before a 12 May leak deadline.

What the Attackers Took

The scale is what set this apart. The stolen records reportedly covered 275 million students, teachers and staff across 8,809 universities, ministries and other bodies, with the attackers claiming 3.65 terabytes of data in all. In the United States alone, about 41% of higher education institutions run Canvas, which is part of why a single vendor’s flaw rippled so far.

Instructure said the haul included usernames, email addresses, course names, enrolment information and private messages, but found no evidence that passwords, dates of birth, government IDs or financial details were taken. That is reassuring as far as it goes, and it goes only so far, because a name tied to an email address and an institution is exactly the raw material that powers convincing phishing.

A Timeline That Doesn’t Line Up

Here is the wrinkle. Canvas was back online by 9 May, Instructure announced its agreement with the attackers on 11 May, and the leak deadline lapsed on 12 May. GSA’s email blackout came more than a week after that all-clear, in the closing days of May, just as degree show preparations peaked.

So the neat student theory, that the lockout was simply the Canvas hack catching up with Glasgow, does not quite hold. It could be a delayed knock-on effect, an unrelated server fault, or a separate incident the school is still untangling. GSA has not connected the two events, and it has not ruled them apart either. The honest position, for now, is that nobody outside the IT team knows, and the school is not saying.

Education Became the Internet’s Softest Target

Whatever happened at Garnethill, it fits a pattern that has hardened over the past two years. UK government figures published this spring, in the 2025/2026 cyber breaches survey for education institutions, show the sector is now the most-targeted corner of the economy by a wide margin.

Almost every higher education body, 98%, identified a breach or attack in the previous 12 months, and around three in ten faced one at least weekly. Of the further and higher education institutions hit, roughly half reported a real consequence, from hijacked accounts to services being knocked offline. Set that against the wider economy, drawn from the same UK cyber security breaches survey, and the gap is stark.

The reasons are structural. Universities and art schools run open networks built for sharing, juggle dozens of outside software suppliers, sit on troves of personal data, and rarely have the security budgets of a bank. A degree show, with thousands of visitors and a flurry of last-minute logins, is precisely the moment when any wobble hurts most.

The Pay-or-Leak Playbook

The Canvas attack has been attributed to ShinyHunters, a financially motivated extortion crew active since around 2020 and described by researchers as a loose mix of teenagers and young adults in the US and UK, with ties to the group known as Scattered Spider. Their method marks a shift from the ransomware that schools learned to fear.

They do not usually encrypt your files or lock you out of your servers. Instead they steal data quietly and threaten to publish it unless paid, a model security analysts call pay-or-leak. When Instructure’s first negotiation deadline slipped, the attackers escalated by defacing Canvas login portals at roughly 330 institutions and pivoting to extorting individual schools one by one. A technical breakdown of the Instructure Canvas breach traces how the same group has climbed the supply chain over time.

That progression is the part worth watching. Their recent targets read like a tour of shared infrastructure:

• Bulk database theft and credential stuffing against cloud data warehouses.
• Abuse of connected app permissions to siphon data from sales and CRM platforms.
• Now, third-party education vendors whose single breach exposes thousands of schools at once.
• A reported ransom said to run into eight figures, which Instructure has not confirmed paying.

What Students and Staff Can Do

For anyone whose institution uses Canvas, the safe assumption is that a name, email address, student ID number and some message history may be in circulation, even after the deletion claims. That does not require panic, but it does change the threat model for the months ahead.

• Treat any email referencing your course, fees or login as suspect, especially ones pushing urgency or a payment link.
• Reset passwords anywhere you reused your institutional one, and switch on multi-factor authentication (MFA, a second login step beyond a password).
• Ignore and report any direct extortion message claiming your personal data will be leaked.
• Keep an eye on official channels rather than corridor rumour for confirmation of what was affected.

If GSA eventually ties its blackout to the vendor breach, its students join a register of stolen names already passed through other hands. If it turns out to have been only a server fault, they lost access during their showcase week for nothing, and still cannot be sure which of the two it was.

Frequently Asked Questions

Was the Glasgow School of Art hacked?

Not confirmed. GSA has described the late-May episode only as a temporary IT disruption and says its team is still investigating the cause. It has not stated publicly whether a cyberattack was involved.

Is the Canvas data breach the same thing as the GSA outage?

Unclear, and the dates raise doubt. Canvas was restored on 9 May and Instructure settled with the attackers around 11 to 12 May, while GSA’s lockout came more than a week later. The school has not linked the two events.

What data was stolen in the Canvas breach?

Instructure says the exposed fields included usernames, email addresses, course names, enrolment information and private messages between users. It found no evidence that passwords, dates of birth, government IDs or financial information were taken.

How many people were affected by the Canvas breach?

The attackers claimed records covering about 275 million students, teachers and staff across 8,809 institutions worldwide, totalling some 3.65 terabytes of data. Around 41% of US higher education institutions use Canvas.

Did Instructure pay a ransom?

Instructure announced an agreement under which the attackers returned the data and provided shred logs as proof of destruction. Reports suggest a payment in the millions, but Instructure has not publicly confirmed paying any ransom.

Is my data safe now that Canvas is back online?

Canvas returned to service on 9 May and Instructure says the stolen data was destroyed. There is no way to guarantee copies were not retained, so treating your exposed details as potentially circulating remains the cautious approach.