Canvas cyberattack disrupts 9,000 institutions

Instructure said it was still updating schools, faculty and students on May 14 after a cyberattack on its Canvas learning platform disrupted access during the final weeks of the academic term. The Utah-based company said Canvas remained operational by then, but its investigation with outside forensic experts was continuing. (instructure.com) Federal Student Aid issued a technology security alert on May 12 and said the incident affected Canvas platforms used by K-12 schools and colleges worldwide. (instructure.com) The disruption drew attention because Canvas is widely used for assignments, grades, course materials and messages at roughly 9,000 institutions. ### When did Instructure say the incident began? (instructure.com) April 29 is the date Instructure says it became aware of unauthorized activity in its Canvas environment, according to the company’s incident fact sheet surfaced in its community updates. On May 1, the company said it engaged CrowdStrike Services to investigate, and by May 6 its status page said it believed the incident had been contained. May 12 is when Instructure’s public status page marked the incident resolved at 05:32 MDT. The company said after that point it would continue communicating directly with affected customers and provide organization-specific support. (instructure.com) ### What data does Instructure say was involved? Instructure told customers that the data fields identified so far include usernames, email addresses, course names, enrollment information and messages. The company said its investigation had not identified “core learning data” such as course content, submissions or credentials as involved. Federal Student Aid said some messages may incidentally include personally identifiable information. (community.instructure.com) The agency also said Instructure had publicly stated there was no evidence that passwords, dates of birth, government identifiers or financial information were exposed. (status.instructure.com) ### Did the attack affect grades and coursework? Instructure said customer organizations would be notified directly if the company verified that their data was involved. It also said the data fields understood to be exposed were not designed to include student grades or disciplinary records. (instructure.com) Canvas is still central to grading and class administration at many campuses, and the outage itself disrupted finals-week routines even where grade data was not taken. Associated Press reporting said colleges and universities across the country scrambled as students lost access to exams, assignments and grades during the outage tied to the cyberattack. (fsapartners.ed.gov) ### Who was blamed for the attack? Federal Student Aid said a ransomware group identified as ShinyHunters claimed responsibility and repeatedly defaced Canvas login pages with ransom demands. The agency said some institutions reported receiving ransom messages when trying to access Canvas. (instructure.com) EdSurge, citing reporting from SecurityWeek, said ShinyHunters claimed to have stolen 275 million records from institutions using Canvas. Instructure’s public customer updates reviewed here do not confirm that figure, and the company says its investigation into customer-specific impact is ongoing. (apnews.com) ### What are schools being told to do now? The U.S. Department of Education said senior officials were in contact with Instructure’s chief information security officer and were tracking reports from schools. The department told higher education institutions to report ransom messages, threat communications or evidence of unauthorized access through established cybersecurity reporting channels. (fsapartners.ed.gov) Instructure said customers that have not received direct notice should understand that the company has not found evidence their data was involved, while adding that the investigation remains active. (edsurge.com) The company also said it had begun notifying affected organizations on May 5 and was still verifying institution-specific data exposure. ### What comes next for campuses and Instructure? Instructure said on its customer update page that it is hosting another webinar early next week for chief information security officers and technical teams, with external forensic partners expected to share more technical details. The company said it will continue updating customers as it verifies affected individuals and the specific data involved. (fsapartners.ed.gov) (instructure.com)