On Friday, tens of thousands of students worldwide who were preparing for their final exams regained access to a crucial online learning platform after a cyberattack had previously taken it offline, causing widespread disruption in schools and universities.
Elizabeth Polo was attending a creative writing class at the University of Maryland late Thursday afternoon when a classmate suddenly yelled, “Canvas got hacked.” A message from a hacking group appeared on her computer screen.
“Our entire class just started panicking about it,” said Polo, a junior. “Our poor professor was trying to calm everyone down, but it was just total chaos.”
Across the academic world, the outage triggered panic and confusion as students and faculty members were suddenly locked out of a platform they depend on to manage grades and access course materials and assignments. Colleges rushed to reschedule final exams as students lost all access to the resources they needed to study.
Instructure, the company that operates Canvas, announced in an update late Thursday that the system was back online for most users.
“Instructure discovered that the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in,” Instructure said Friday in a statement. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate.”
Instructure also confirmed that the unauthorized actor took advantage of a vulnerability related to its Free-For-Teacher accounts. The company has temporarily disabled those accounts.
Instructure did not say whether it paid a ransom, nor has it disclosed what happened to the compromised data.
Rich in digitized data, the nation’s schools are prime targets for distant criminal hackers, who are actively seeking out and stealing sensitive files that not long ago were stored as paper records in locked cabinets. Previous attacks have struck Minneapolis Public Schools and the Los Angeles Unified School District.
Hackers breached data days before the outage
A hacking group known as ShinyHunters claimed responsibility for the breach at Canvas, according to Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.
The message that appeared on Polo’s computer screen urged individual schools to contact the hacking group directly to negotiate a settlement and threatened to leak data if they didn’t comply. She said that Canvas later removed that message, replacing it with a notice saying the site was undergoing scheduled maintenance.
Just before 1 a.m. Friday, Polo was able to submit an assignment on Canvas, but she now worries her personal data has been compromised.
Canvas went down just as deadlines were hitting
The outage struck just as a deadline arrived for semester-long projects in one of Gwyneth Doland’s journalism classes at the University of New Mexico.
“They were a little hyperventilating,” recalled Doland, who extended the deadlines. “None of these platforms are fail-proof. I’m glad that they got that lesson.”
The fact that the attack came with finals approaching came as no surprise to Huseyin Can Yuceel, the security research lead at Picus Labs.
“Timing is everything, because they want to cause as much pain as possible,” he said, “so they can extort money from it.”
Teachers said they had to find alternative solutions to help students study for exams and submit final assignments. Some schools, such as the University of Texas at San Antonio, announced they were postponing finals scheduled for Friday in response to the outage.
Rod Uzat, a professor of Educational Leadership at the University of Texas Permian Basin, delayed the posting of grades by a day.
“The concern is for those of us who were doing the grading if there’s anything left,” Uzat said.
Rhongho Jang, a computer science professor at Wayne State University in Detroit, was finalizing grades for a class of 94 students when the system went down. He keeps paper copies of the student exams, but all of the semester assignments, which make up half of the final grade, are completed online.
If those assignments and grades could not be recovered, Jang would have given his students full credit.
“I didn’t want to penalize them,” he said. “We cannot judge based on the data we don’t have. The final responsibility is still on the server.”
A reliance on tech makes schools vulnerable
The breach highlighted how heavily schools depend on digital platforms run by outside companies to keep their operations running.
“What it boils down to is concentration risk,” said Joseph Blankenship, a vice president and research director at Forrester. He said any sector, including education, is particularly vulnerable when there’s only one or maybe two key providers hosting essential technology.
Allan Liska, of the cybersecurity firm Recorded Future, said the outage did appear deliberate, not a glitch, and that Instructure was working to determine how widespread the problem was and ensure the hackers were no longer inside its system.
“There’s no indication at this point that any ransom has been paid,” Liska said. “And it likely is still a little too early for a ransom to have been paid. You know, normally these negotiations kind of drag on for a while.”
Connolly described ShinyHunters as a loose network of teenagers and young adults based in the U.S. and the United Kingdom. The group has also been linked to other attacks, including Live Nation’s Ticketmaster subsidiary. ShinyHunters posted online that it was not commenting on the Canvas incident.
ShinyHunters, or an offshoot, was also behind a previous smaller breach of Instructure, Liska said. Sometimes small breaches reveal weaknesses that threat actors later exploit in future leaks, said Yuceel, who compared it to a leak in a boat.
“You fixed it, but you already have the water in the boat,” he said.
