In a striking breach of data security, millions of students across universities and K-12 districts have had their information compromised following a cyberattack on Canvas, a widely-used classroom management tool.
The Incident
This past Thursday, Canvas experienced a significant outage, affecting its more than 30 million users. The platform, which supports numerous K-12 districts and half of the higher education institutions in North America, is essential for managing assignments, posting course materials, and conducting exams. The timing was particularly unfortunate, as many students were likely in the midst of taking final exams when the system went down.
The disruption was caused by a ransomware group known as ShinyHunters, which attacked the platform twice in one week, demanding money in exchange for student data. This data includes names, addresses, student ID numbers, and potentially even grades and coursework, as Canvas serves as a centralized data hub for many educational institutions.
Motives Behind the Attack
While it might not seem immediately lucrative to target students, hackers exploit the fact that young individuals often do not monitor their credit or set up alerts for suspicious financial activities. This allows malicious actors to misuse a student’s identity for extended periods without detection. This attack on Canvas represents the largest single event targeting young people, although numerous school districts have reported similar breaches in recent years.
Implications for EdTech Companies
This incident raises critical concerns about the reliance on private software companies by public schools. T. Philip Nichols, an associate professor at Baylor University, highlights this dependency, stating, “This incident should give us pause, not because it’s an aberration, but because it isn’t.” He suggests that the fragility of these systems is a pressing issue, and schools would benefit from being just as vigilant about data protection even without the threat of a ransom.
Next Steps and Ongoing Concerns
Canvas has since been restored online, and its parent company, Instructure, has remained relatively silent, only updating users once systems were operational again. Immediate concerns such as grade submissions and exam schedules appear to be addressed. However, the company continues to investigate the breach’s full impact. Cybersecurity expert Matt Radolec, who has previously handled negotiations with ShinyHunters, warns that just because the system is back online, it doesn’t guarantee the breach is fully resolved. Once a group like ShinyHunters gains access, ensuring their complete removal is challenging.
As the exam season continues, Canvas and its users remain on high alert while efforts to secure student data persist.
This article was originally written by www.npr.org
