Dive Brief:
- A threat actor once again gained unauthorized access into Instructure’s Canvas learning management system on May 7, the ed tech company confirmed on its website. The incident caused disruptions for students and teachers at school districts and colleges nationwide as final exam season is underway.
- Schools and colleges have had to offer grace periods for missed or late assignments affected by the Canvas outage. Pennsylvania State University, for example, even announced that all tests being administered at night on May 7 and all day on May 8 were canceled after the latest incident.
- As of May 8, Instructure reported that Canvas is back online and safe to use. But some districts and universities have temporarily disabled Canvas as the ed tech company investigates the incident.
Dive Insight:
This is the second cybersecurity incident to target the Canvas learning management system within 8 days, according to Instructure. The company announced the first incident on May 1 in a status update on its website.
The threat actors breached Canvas by exploiting an issue on its Free-For-Teacher accounts during both incidents on April 29 and May 7, Instructure said. Because of this, the ed tech company said it is temporarily shutting down those accounts — a core part of the Canvas platform.
Canvas is used for student information including grades, assignments, attendance and course materials.
Virginia’s Roanoke County Public Schools issued a statement on the May 7 Canvas incident, noting that “some of our users may have seen a message today related to this incident on their computers when they logged into the Canvas system.” The district further advised students and staff to not engage with the message.
Canvas users at the University of Pennsylvania also saw a message on their system from a cybercrime group known as ShinyHunters, according to The Daily Pennsylvanian, the university’s independent student newspaper. Student publications at colleges across the U.S., including Harvard University, the University of Oklahoma and multiple University of California campuses, reported similar messages.
The message linked to a list of schools allegedly affected by the ShinyHunters data breaches into Canvas. It said those schools could negotiate a settlement with the cybercrime group by May 12 — the same deadline given to Instructure.
During the April 29 breach, Instructure said that Canvas users at affected organizations had certain personal information exposed including names, email addresses, student ID numbers, and messages.
No further data was accessed on May 7, but an “unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas,” the company said.
The Canvas outage and cybersecurity incident “highlights the real-life impact of failing to protect sensitive information collected by schools,” said Elizabeth Laird, director of equity in civic technology at the nonprofit Center for Democracy & Technology, in a May 8 statement.
“Not only did this incident interfere with essential learning activities, it has exposed sensitive data about nearly 300 million users, including messages that could include incredibly personal information,” Laird said.
At the same time, Laird pointed to the U.S. Department of Education’s Office of Educational Technology being shuttered last year. The office helped schools with responsible technology use, she said. Additionally, there have been significant funding cuts to cybersecurity supports for schools.
“This is an important wakeup call that schools and the companies that work with them have legal and ethical responsibilities to safeguard students and teachers online in the same ways that they are protected in the classroom," Laird said.
Instructure is not the only ed tech company to face a major data breach in recent years. Other recent high-profile cyberattacks include PowerSchool, a cloud-based K-12 software provider, and Illuminate Education, a student information system provider.
The Canvas incident is a reminder that students and staff in schools have “very little control” over their mass amounts of sensitive data in ed tech platforms, said Shaila Rana, a cybersecurity professor at Purdue Global and a senior member of Institute of Electrical and Electronics Engineers, a global technical professional organization, in a May 8 statement to K-12 Dive.
“It's really the asymmetry: users can't opt out, can't meaningfully audit how their data is protected, and are left absorbing the consequences when things go wrong,” Rana said. “What makes attacks on platforms like this especially damaging is the infrastructure dependency. It went down during finals week and it disrupted academic continuity across thousands of institutions simultaneously.”
Meanwhile, Kate Brody, policy director at Schools Beyond Screens — the organization that pushed for Los Angeles Unified School District to limit screen time and devices in its schools — said in a May 8 statement that the Canvas incident is the “perfect example” for why schools need to “interrogate their overuse of technology.”
