Canvas-affected schools and universities whose student data was stolen by a cybercriminal hacking group as part of a breach of the educational tool in April have individually sought to deal with the hackers directly to prevent the data release.
As reported reutersShinyHunters, a hacking group behind a series of data theft and extortion campaigns targeting major global companies, said in a May 3 post that it had stolen approximately 6.65 terabytes of Canvas data belonging to nearly 9,000 schools around the world, including student names, email addresses and private messages between students, teachers and other staff.
Student newspapers across the country reported this week that the hack is causing widespread disruption as students prepare for end-of-the-year tasks and assignments
The software is used by schools to share class assignments and information, as well as to facilitate messages between students and school faculty.
On May 5, the group posted a message saying that Canvas’s parent company, Instructor, “didn’t even bother to talk to us” to prevent the data leak and that their demands were “not as high as you might think.” The message included a list of approximately 1,400 individual schools and districts and invited schools to contact them to negotiate and stop the data from being posted.
The Cornell Daily Sun reported Friday that the Canvas hack disrupted students trying to study for final exams.
Instructables announced in a post on its support website on May 1 that it was investigating a cybersecurity incident.
A post the next day signed by Chief Information Security Officer Steve Proud said the “information involved” included Canvas usernames, email addresses, student ID numbers, and messages between users.
In a May 6 update, the company said the situation has been resolved and Canvas is fully operational.
On May 7, students from several schools reported attempting to log into Canvas and receiving a note from ShinyHunters with a link to a list of affected schools. Instructables took Canvas, Canvas Beta, and Canvas Test offline after a short time but restored access to Canvas four hours later.
According to Instructables’ help site, Canvas Beta and Canvas Test remain in “maintenance mode”.
ShinyHunters removed both messages from their website on May 7, and replaced them with a message stating that they “are not commenting and have no further comments to make in relation to this global incident.” A group representative declined to answer Reuters questions sent via online chat.
Extortion and ransomware groups remove claims about victims from their websites for a variety of reasons, sometimes including whether a target has paid up or negotiations are ongoing.
A note sent to parents Friday from the South Orange-Maplewood School District said the security breach occurred on April 25 and Instructables detected the unauthorized activity on April 29.
Some schools told students, staff and families in an email Friday that Canvas is returning to service, but that the district will continue to restrict access out of an abundance of caution “until all services have been reviewed and confirmed safe for use.”
According to Instructor’s website, Canvas has 30 million active users between kindergarten and college age.
