Skip to main content

A Canvas outage tied to a cyberattack has wreaked havoc on colleges’ final exam season

Schools and universities across the country are recovering from an outage that knocked down Canvas, an online platform that manages exams, course notes, lecture videos and grades. The disruption tied to a cyberattack hit in the middle of finals period for many colleges, a high-stress time when students and instructors rely heavily on the platform.

By late Thursday, Instructure, the parent company of Canvas, said the platform was available again to most users.

The hacking group ShinyHunters claimed responsibility for the breach, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. On Friday, Instructure and Canvas no longer appeared on a site where ShinyHunters lists its targets.

Some schools, however, have continued to block students and teachers from accessing Canvas, citing an abundance of caution while assessing security threats.

Here’s what to know about the outage.

What is Canvas?

Schools and universities use Canvas to manage nearly all aspects of instruction. The platform acts as a gradebook, a hub for digital lectures and course materials, a discussion board for classroom projects, and a messaging platform between students and instructors.

Some courses also give quizzes and exams on the platform, or use it as a portal where final projects and papers are submitted on deadline.

Who is ShinyHunters?

ShinyHunters is a loose association of teenage and young adult hackers in the U.S. and the United Kingdom who have been linked to other large-scale cyberattacks, including one on Ticketmaster, Connolly said. On the page listing their targets, the group describes itself as “rooting your systems since ‘19,” using a term for accessing a computer system’s deepest layer.

Earlier this week, ShinyHunters said that nearly 9,000 schools and 275 million individuals’ data could be leaked if schools did not pay the ransom by a deadline of May 6. The group then extended the deadline, indicating some schools had engaged with them to negotiate.

In a statement posted to ShinyHunters’ ransomware site, the group said it would not be commenting on the incident.

Schools and universities, rich in personally-identifiable information on students, teachers and employees, have become prime targets for criminal hackers in ransomware attacks. Targets can be individual districts, like the Minneapolis Public Schools or Los Angeles Unified School District, or external vendor platforms like Canvas or PowerSchool that education systems increasingly rely on to manage schedules, courses and exams.

The impact on students

Though most schools seem to have restored access to Canvas, the disruptions to finals period are likely to ripple throughout the week.

The University of Massachusetts at Dartmouth said that it would postpone exams scheduled for Friday and Saturday to ensure students had time to review course materials that would not have been accessible during the shutdown.

The University of Illinois postponed all exams that were scheduled to take place Friday, Saturday or Sunday for all classes, regardless of whether the courses utilized Canvas.

And Montgomery County Public Schools in Maryland continued to limit access to Canvas on Friday, citing an abundance of caution “while we work to better understand the full impact of the incident and any potential vulnerabilities involving information connected to the platform.”

Should students be worried about data privacy?

The data breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform, Instructure’s chief information security officer, Steve Proud, said in an update shared May 2. He said the company had not found evidence that passwords, dates of birth, government identification or financial information were compromised.

Even with Canvas back online, cybersecurity experts are urging impacted students and educators to stay alert.

Other bad actors could try and take advantage of the breach’s aftermath through additional phishing attacks. Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, warns that someone impersonating a school district, for example, could send a malicious message prompting users to reset their Canvas password.

“Be very suspicious of any inbound messages,” Steinhauer said, particularly if urgent action is requested.

Experts stress that major breaches are an important reminder for consumers to revisit best “cyber hygiene” practices overall.

The basics include creating hard-to-guess passwords, using multifactor authentication when possible and monitoring online accounts for any suspicious activity. In addition, the Federal Trade Commission notes that nationwide credit bureaus — such as Equifax, Experian and TransUnion — offer free credit freezes and fraud alerts that consumers can set up to help protect themselves from identity theft and other malicious attacks.

___

The Associated Press’ education coverage receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP’s standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org.

Texas public schools see first non-pandemic enrollment drop in decades

Roughly 76,000 fewer students enrolled in Texas public schools this academic year — the first non-pandemic decline in nearly four decades — with Hispanic students accounting for the overwhelming majority of the loss, according to a report released Monday. The policy research group Texas 2036 analyzed the state’s enrollment data and projected that about 100,000 fewer students would attend public schools by the end of the current decade. However, some projections show the number growing by nearly half a million over that time. Hispanic students accounted for 81% of this school year’s enrollment drop, Texas 2036 found. Students learning English and those from low-income families experienced some of the sharpest declines. Over the past year, federal and state leaders increased anti-immigration rhetoric, in some cases detaining Texas students and prompting fear across communities. Meanwhile, the rate of Texas families having children has declined in recent years. Districts have lost students to other schooling options, with more families expected to opt out of their public neighborhood campuses as the state launches school vouchers later this year.
Read Next Story