This audio is auto-generated. Please let us know if you have feedback.
Dive Brief:
- A threat actor once again gained unauthorized access to Instructure’s Canvas learning management system on Thursday, the ed tech company confirmed. The breach caused disruptions for students and faculty at colleges nationwide as final exam season is underway.
- Many institutions have had to offer grace periods for missed or late assignments affected by the Canvas outage. Pennsylvania State University, for example, announced that all tests being administered Thursday night and all day Friday were canceled after the latest incident.
- As of Friday, Instructure reported that Canvas is back online and safe to use. But some colleges have temporarily disabled Canvas as the ed tech company investigates the incident.
googletag.display(‘dfp-hybrid1-mobile’)); googletag.pubads().addEventListener(‘slotRenderEnded’, function (event) { var adUnitPath = ‘/3618/highereddive/highereddivehybrid1’; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) { var adUnitPathWithVisibility = adUnitPath + ‘-mobile’; var selector = ‘.pf-comments__ad-wrapper #dfp-hybrid1-mobile’; if (!$(selector).closest(‘.pf-comments__ad-wrapper’).hasClass(‘borders’)) { $(selector).closest(‘.pf-comments__ad-wrapper’).addClass(‘borders’) } } }); } }); }); ]]>
googletag.display(‘dfp-hybrid2-desktop’)); googletag.pubads().addEventListener(‘slotRenderEnded’, function (event) { var adUnitPath = ‘/3618/highereddive/highereddivehybrid2’; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) { var adUnitPathWithVisibility = adUnitPath + ‘-desktop’; var selector = ‘.pf-comments__ad-wrapper #dfp-hybrid2-desktop’; if (!$(selector).closest(‘.pf-comments__ad-wrapper’).hasClass(‘borders’)) { $(selector).closest(‘.pf-comments__ad-wrapper’).addClass(‘borders’) } } }); } }); }); ]]>
Dive Insight:
This is the second cybersecurity incident to target Canvas within 8 days, according to Instructure. The company announced the first incident on May 1 in a status update on its website.
The threat actors breached Canvas by exploiting an issue on its Free-For-Teacher accounts during both incidents on April 29 and May 7, Instructure said. Because of this, the ed tech company said it is temporarily shutting down those accounts — a core part of the Canvas platform.
Canvas users at the University of Pennsylvania saw a message on their system from a cybercrime group known as ShinyHunters, according to The Daily Pennsylvanian, the university’s independent student newspaper. Student publications at colleges across the U.S., including Harvard University, the University of Oklahoma and multiple University of California campuses, reported similar messages.
The message linked to a list of colleges, K-12 schools and educational institutions allegedly affected by the ShinyHunters data breaches into Canvas. The group said those institutions could negotiate a settlement with the cybercrime group to prevent the release of compromised data by May 12 — the same deadline given to Instructure.
During the April 29 breach, Instructure said that Canvas users at affected organizations had certain personal information exposed including names, email addresses, student ID numbers, and messages.
No further data was accessed on May 7, but an “unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas,” the company said.
The Canvas outage and cybersecurity incident “highlights the real-life impact of failing to protect sensitive information collected by schools,” said Elizabeth Laird, director of equity in civic technology at the nonprofit Center for Democracy & Technology, in a May 8 statement.
“Not only did this incident interfere with essential learning activities, it has exposed sensitive data about nearly 300 million users, including messages that could include incredibly personal information,” Laird said.
At the same time, Laird pointed to the U.S. Department of Education’s Office of Educational Technology being shuttered last year. The office helped schools with responsible technology use, she said. Additionally, there have been significant funding cuts to cybersecurity supports for schools.
“This is an important wakeup call that schools and the companies that work with them have legal and ethical responsibilities to safeguard students and teachers online in the same ways that they are protected in the classroom,” Laird said.
Instructure is not the only ed tech company to face a major data breach in recent years. Other recent high-profile cyberattacks include PowerSchool, a cloud-based K-12 software provider, and Illuminate Education, a student information system provider.
The Canvas incident is a reminder that students and staff in schools have “very little control” over their mass amounts of sensitive data in ed tech platforms, said Shaila Rana, a cybersecurity professor at Purdue Global and a senior member of Institute of Electrical and Electronics Engineers, a global technical professional organization, in a May 8 statement to K-12 Dive.
“It’s really the asymmetry: users can’t opt out, can’t meaningfully audit how their data is protected, and are left absorbing the consequences when things go wrong,” Rana said. “What makes attacks on platforms like this especially damaging is the infrastructure dependency. It went down during finals week and it disrupted academic continuity across thousands of institutions simultaneously.”