On Thursday, May 7, hacker group ShinyHunters breached Canvas and demanded a ransom from Canvas’ parent company, Instructure, threatening to release the data of thousands of schools. Many students and teachers across the nation were unable to normally access Canvas and were instead met with ShinyHunter’s message. On the same day, Long Beach Unified School District blocked access to Canvas themselves out of concerns for user safety, only restoring access for everyone on Tuesday, May 12.
Being unable to access Canvas proved disruptive towards the workflow of both teachers and students. Teachers that had virtual work on Canvas had to readjust their lesson plans, and in the worst (or best) case scenario, entire class periods became free periods with nothing to do.
“I was out of town. I had left plans for the sub for all my students to do Desmos activities,” said Cesar Gonzalez, who teaches Algebra 2 for CIC. “I wasn’t here, but that threw off my sub plans, so I had to find new things [for my students to do] while I was gone.”
Without being able to use Canvas’ inbox feature, students and parents were unable to communicate with teachers without seeing them in-person.
Meymey, a freshman in Arts, said, “For geometry [class], since Canvas was down, I couldn’t turn in my homework because we had to submit it on Canvas, so that kinda got my grade down.”
According to an incident fact sheet from Instructure, the data compromised is believed to include “usernames, email addresses, course names, enrollment information and messages”, while “information like passwords, dates of birth, healthcare information, social security numbers, financial information, student grades or disciplinary records” are believed not to have been compromised.
While the data that was compromised might not seem particularly sensitive, it’s still enough to be used for phishing attacks. Phishing attacks are when someone impersonates a trusted person (e.g. a banker, schools, etc) in order to bait you into revealing sensitive information or installing malware. For example, a phisher could use messages about a student’s tardiness to impersonate a school attendance clerk, baiting that student into installing malware in order to ‘clear their tardy’.
On May 11, the Instructure website sent out a status update claiming that they have reached an agreement with ShinyHunters. According to Instructure, they received evidence that the stolen data was destroyed, and that nobody using Canvas will get extorted as a result of the breach.
“If hackers are going to be doing things like this, I think it’s pretty lame that they are doing it to schools and kids,” said Mr. Montooth, who teaches government, economics and personal finance for PACE. “I hope our district and the people that run Canvas take this seriously and protect our students and our data in the future.”
