Breach Notifications

Data Breach Defined

A breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or a school.

Parents will be notified of breaches of covered information within 30 calendar days of receipt of notice of a breach. Notification may be delayed if it would interfere with a criminal investigation. Notification will include, but is not limited to:

• The date of the breach
• The description of the covered information that was compromised
• Information that the parent may use to contact the operator and the school about the breach
• Toll-free numbers and other information for consumer reporting agencies
• Toll-free numbers and other information for the Federal Trade Commission (FTC)
• A statement that the parent may obtain information from the FTC and consumer reporting agencies about fraud alerts and security freezes.

Breach Notifications

Data breaches that meet the threshold set by the Student Online Personal Protection Act will be posted below as soon as the district is notified.

• May 8, 2026: Instructure has updated its information and now lists IMSA among the institutions potentially affected by this global vendor-level breach. According to Instructure, the information that may have been accessed includes student and user names, student ID numbers, private messages sent within the Canvas platform, IMSA email addresses, and certain staff data. Instructure reports no evidence that passwords, Social Security numbers, dates of birth, or financial information were involved in the breach. We are continuing to monitor our system security as Instructure navigates this nationwide breach. View live updates from Instructure here. 
• May 1, 2026: An unauthorized party accessed Instructure’s systems. Globally, the involved data included student names, emails, and ID numbers. Instructure reports no evidence that passwords, Social Security numbers, or financial data were compromised. We are monitoring a nationwide security incident involving Instructure, the parent company of Canvas. While thousands of schools were impacted globally, IMSA has not been identified as an affected school at this time.
• January 7, 2025: PowerSchool, the vendor providing IMSA’s Student Information System, notified IMSA and their other customers of a nationwide data breach attributed to a December 22, 2024, action from an unauthorized individual gaining administrative access to PowerSchool data through a vulnerability in PowerSchool’s support portal.
• July 12, 2023: wiris MathType. IMSA received notification from a software provider (wiris MathType) of a breach of their system. The breach only impacted users who contacted the vendor between July 7 and 9, 2023.  The vendor provided a breach notification via email, to IMSA, about the incident.