June 3, 2026

TLP:CLEAR

In This Issue:

• Situation Room: The recent Canvas breach informs mitigation strategies for election officials in a vendor-dependent world.  
• Resource Library: PACE your preparedness to keep operations moving forward.  
  
• Planning Desk: A careful approach to the recovery phase of your incident response process is critical to restoring normal operations.  

The Canvas Breach Through an Election Security Lens

The May 2026 Canvas breach is more than an education-sector incident - it is a direct warning signal for state, local, tribal and territorial (SLTT) officials navigating an increasingly complex software ecosystem.

Considered one of the largest educational cybersecurity incidents on record, the breach has far-reaching implications beyond the immediate technical outage.

Canvas is the most widely used ed-tech platform in the U.S., serving tens of millions of students. The breach affected nearly 9,000 institutions across 50 countries, including K-12 school districts, universities, and even teaching hospitals. The attackers claimed to have stolen 275 million records containing names, email addresses, student IDs, and private messages - meaning the damage will be ongoing for those whose information was exposed.

The attackers exploited a shared Software-as-a-Service (SaaS) environment and used extortion tactics timed for maximum disruption. SaaS is a common software delivery model where applications are hosted by a service provider (vendor) and made available to customers over the internet. Instead of purchasing and installing software on individual devices, users can access the software through a web browser or mobile app on a subscription basis. This shared SaaS delivery model is widely used in election administration - one vendor compromise can cascade across many jurisdictions simultaneously.

Why Election Officials Should Be Concerned

For election offices, the parallels are clear: vendor risk, distributed users (election officials, poll workers, voters), and time-sensitive operations. Election officials depend on many software solutions that are shared across the election community, as well as other areas of government operations such as email, payroll, VoIP, or HR platforms. Shared software solutions can also be external systems that facilitate election processes, such as motor vehicle technologies, GIS or mapping systems, and court or death record systems. A breach in any of these could have wide-ranging consequences for the election infrastructure sector, just as the Canvas breach had for the education sector.

Election officials have spent years securing voting machines and ballots. That work remains essential. But the attack surface does not stop at voting systems. The broader digital ecosystem supporting the modern election office is also a target. Securing elections means defending that entire ecosystem, before an attacker turns a vendor compromise into an election crisis.

Proactive Actions

• Review which systems your office relies on that are outside your direct control.
• Ask vendors about their incident responses and notification timelines.
• Ensure your Incident Response Plan and Continuity of Operations Plan account for third-party outages.

The Situation Room focuses on real security incidents and threats in the news relevant to election security. To review previous issues, see the newsletter archive.

PACE Planning Principle

In our Issue 9 Planning Desk, we walked through the PACE planning principle. The Canvas breach makes it worth revisiting PACE here.

PACE helps you build election resilience by anticipating disruption and preparing redundant backup capabilities. The acronym represents four tiers of capability: the first-line method plus three backups.

• Primary: The preferred and intended, most reliable method.
• Alternate: A backup method if the primary fails, common but less optimal.
• Contingency: A fallback method if primary and alternate fail, less ideal but still viable.
• Emergency: Method of last resort, used only when all others are unavailable.

Organizations that understand and plan for cascading failures will be more resilient in the face of disruptions. You probably have several backup options for various functions but may not have documented and prioritized them.

No single definitive PACE resource exists yet, but several practical guides apply the methodology well. The following resources offer different visual guides and examples of applying PACE to your Incident Response Plan:

• CISA Leveraging the PACE Plan into the Emergency Communications Ecosystem
• PACEing a Communications Resilience Plan
• Life is a Special Operation
• Emergency Preparedness, Response & Recovery: What is the Purpose & Benefits of a PACE Plan?

Having one backup improves resilience, but PACE goes further. It builds a full chain of fallbacks so a single failure never stops operations.

The Resource Library section of the newsletter spotlights election security resources. All highlighted resources are available online in the Resource Library.

Week E-22: Recovery: Restore, but Verify

Recovery is the final step in the third phase of your Incident Response Process. Containment stopped the spread. Eradication removed the cause. Recovery is the orderly return to normal: bringing systems back online, restoring data, resuming normal operations, and watching closely for any sign that the problem returns.

The temptation at this point is to move fast. Leadership wants the all-clear, staff want their tools back, and the public wants the website up. Speed here is fine; sloppiness is not. A botched recovery undoes the work of the previous two steps.

Restore From a Known Clean State

The single most important question in recovery is When did the incident actually start? Your detection log and analysis notes from earlier in the incident response process should provide a date and time, or at least a date window. Restore from a backup taken before that point, not after.

This is where backup hygiene pays off or fails publicly. A backup you have never tested is a hope, not a recovery plan. Confirm the backup is intact, its date is before the incident window, and that the restore actually works in a test environment before you put it into production.

Bring Services Back In a Deliberate Order

A phased restoration is preferable. Prioritize essential systems, particularly those required in the next 24 to 72 hours, and those that you can monitor closely. Restoring a low-traffic system early can help you detect any recurrence in a manageable setting before reintroducing high-traffic systems, where problems can be more difficult to spot.

Watch Closely After the Lights Come Back On

The period immediately after recovery is when your team is tired and most likely to miss something. It is also when sophisticated attackers often try again from a different angle, having learned what worked and what did not. Set a defined heightened-monitoring window before you declare the incident closed. This could be several days for routine incidents or longer for anything involving credential compromise, persistent access, or unknown root cause.

The monitoring should include the obvious (logs, alerts, the systems you just restored) and the less obvious (related accounts, connected systems, the same attack pattern aimed at a different entry point).

Do Not Declare Victory Too Early

The incident is not over when service is restored. It is over when the heightened-monitoring window has passed without recurrence, the documentation is complete, and the post-incident review (next issue) is on the calendar. Until then, the Incident Response Plan stays active.

Actions You Can Take

1. Validate backups on a schedule, not just when you need them. Quarterly is reasonable for most offices. Time how long it takes to restore, document the steps, and fix what doesn’t work.
2. Define recovery order in advance for your critical systems: which ones are restored first, which can wait, and who decides.
3. Set heightened-monitoring windows by severity tier. Write them into your Incident Response Plan. Do not negotiate them during recovery.
4. Assign a recovery monitor. Identify someone whose only job during the post-recovery window is watching for recurrence. This person should be separate from the staff getting the office back to normal.
5. Schedule the post-incident review before recovery ends. Putting it on the calendar is the only way to make sure it actually happens.

Recovery closes Phase 3, but it does not close the incident. Next week we wrap up this series on the incident response process with Phase 4, Post-Incident Activity, the work that determines whether the next incident catches you in the same place.

The Planning Desk is a running timeline of key election security tasks. You can find prior editions in the newsletter archive.

Want to get daily updates on election news? Subscribe to electionline.

• Election threats are focused on campaign systems, not voting machines | CyberScoop (June 1, 2026) // National

• Why a surge of election-related websites could spell rising cyber threats for the midterms | PBS News (June 1, 2026) // National

• Hackers more focused on misleading voters than ballot tampering: Report | The Hill (June 1, 2026) // National
• A Fractured Shield: Changes to Cyber Information Sharing Put Elections at Risk | Center for Democracy & Technology (May 28, 2026) // National
• Investigations underway after Los Angeles County voting center vandalized, mail-in ballots burned | CBS News (May 31, 2026) // California