Canvas System Used by Over 40% of US Schools Breached

Canvas, software used by thousands of schools in the U.S., has been hacked and the private data of staff and students stolen.

A hacker group called ShinyHunters claims credit for the hack.

Large educational institutions like Columbia, Princeton, Harvard, and Georgetown were met with ransom notes on the homepage of their Canvas sites.

Instructure, the company behind Canvas, received a ransom note from the group saying that data on millions of users including students, teachers, and staff would be leaked if they didn’t pay up.

An unnamed source told CNN that the FBI has deployed resources to help institutions deal with the situation.

As if the data breach itself wasn’t enough, the FBI also warned of scammers contacting those affected claiming to have their data.

According to the same CNN article, Instructure says Canvas is “fully calm online and available for use” Friday.

Data obtained by the hackers included 275 million users’ users names, email addresses, student ID numbers, and billions of private messages.

Apparently, the threat actors had exploited an issue with Instructure’s Free-for-Teachers accounts. Instructure has temporarily disabled this feature in light of the hack.

As you can imagine, the hack has caused a huge disruption to educational institutions that are already spread thin as it is. Exams had to be cancelled as teachers waited for a fix.

Centralized cloud platforms like Canvas create a central point of failure where all of their customers data and the functionality of their software relies on Instructure being up and running.

It also creates a massive central pool of data that makes a very attractive target for hackers.

As school rely more and more on complex centralized software for their functions and as surveillance on students becomes more and more common, the risks of data breaches will continue to grow.

Schools for years now have been using software to collect and monitor keystrokes, communications, photos, and much more. Sensitive data collected by the software can include private communications, passwords, and sensitive images.

Such software doesn’t protect students and simply creates a bigger target for hackers.

Schools have a duty to protect the data of their students, but they’re floundering at the first hurdle.

If you’re a student, it’s always a good idea to practice separation between school activities and personal ones. If you have a school-issued device, don’t use it for anything not school related. If you’re forced to install invasive software on a personal device, have one dedicated to school activities and one for personal use.