Skip to main content

A Canvas outage tied to a cyberattack has wreaked havoc on colleges’ final exam season

Schools and universities across the country are recovering from an outage that knocked down Canvas, an online platform that manages exams, course notes, lecture videos and grades. The disruption tied to a cyberattack hit in the middle of finals period for many colleges, a high-stress time when students and instructors rely heavily on the platform.

By late Thursday, Instructure, the parent company of Canvas, said the platform was available again to most users.

The hacking group ShinyHunters claimed responsibility for the breach, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. On Friday, Instructure and Canvas no longer appeared on a site where ShinyHunters lists its targets.

Some schools, however, have continued to block students and teachers from accessing Canvas, citing an abundance of caution while assessing security threats.

Here’s what to know about the outage.

What is Canvas?

Schools and universities use Canvas to manage nearly all aspects of instruction. The platform acts as a gradebook, a hub for digital lectures and course materials, a discussion board for classroom projects, and a messaging platform between students and instructors.

Some courses also give quizzes and exams on the platform, or use it as a portal where final projects and papers are submitted on deadline.

Who is ShinyHunters?

ShinyHunters is a loose association of teenage and young adult hackers in the U.S. and the United Kingdom who have been linked to other large-scale cyberattacks, including one on Ticketmaster, Connolly said. On the page listing their targets, the group describes itself as “rooting your systems since ‘19,” using a term for accessing a computer system’s deepest layer.

Earlier this week, ShinyHunters said that nearly 9,000 schools and 275 million individuals’ data could be leaked if schools did not pay the ransom by a deadline of May 6. The group then extended the deadline, indicating some schools had engaged with them to negotiate.

In a statement posted to ShinyHunters’ ransomware site, the group said it would not be commenting on the incident.

Schools and universities, rich in personally-identifiable information on students, teachers and employees, have become prime targets for criminal hackers in ransomware attacks. Targets can be individual districts, like the Minneapolis Public Schools or Los Angeles Unified School District, or external vendor platforms like Canvas or PowerSchool that education systems increasingly rely on to manage schedules, courses and exams.

The impact on students

Though most schools seem to have restored access to Canvas, the disruptions to finals period are likely to ripple throughout the week.

The University of Massachusetts at Dartmouth said that it would postpone exams scheduled for Friday and Saturday to ensure students had time to review course materials that would not have been accessible during the shutdown.

The University of Illinois postponed all exams that were scheduled to take place Friday, Saturday or Sunday for all classes, regardless of whether the courses utilized Canvas.

And Montgomery County Public Schools in Maryland continued to limit access to Canvas on Friday, citing an abundance of caution “while we work to better understand the full impact of the incident and any potential vulnerabilities involving information connected to the platform.”

Should students be worried about data privacy?

The data breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform, Instructure’s chief information security officer, Steve Proud, said in an update shared May 2. He said the company had not found evidence that passwords, dates of birth, government identification or financial information were compromised.

Even with Canvas back online, cybersecurity experts are urging impacted students and educators to stay alert.

Other bad actors could try and take advantage of the breach’s aftermath through additional phishing attacks. Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, warns that someone impersonating a school district, for example, could send a malicious message prompting users to reset their Canvas password.

“Be very suspicious of any inbound messages,” Steinhauer said, particularly if urgent action is requested.

Experts stress that major breaches are an important reminder for consumers to revisit best “cyber hygiene” practices overall.

The basics include creating hard-to-guess passwords, using multifactor authentication when possible and monitoring online accounts for any suspicious activity. In addition, the Federal Trade Commission notes that nationwide credit bureaus — such as Equifax, Experian and TransUnion — offer free credit freezes and fraud alerts that consumers can set up to help protect themselves from identity theft and other malicious attacks.

___

The Associated Press’ education coverage receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP’s standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org.

Ohio State trustees OK $100M settlement with hundreds of former students abused by doctor

COLUMBUS, Ohio (AP) — Ohio State University agreed Wednesday to pay approximately $100 million to settle legal claims from hundreds of former student athletes who said they were sexually abused decades ago by a doctor at the university. The school has fought lawsuits in federal court since 2018 brought by former student athletes against the university over its failure to stop abuse by Dr. Richard Strauss. Strauss worked at the school from 1978 to 1998 and also ran an off-campus clinic. He died in 2005. During a meeting Wednesday, the school's Board of Trustees approved a preliminary agreement with all but one of the 280 survivors with claims still involved in pending litigation. Once finalized, the settlement could mark the end of a lengthy legal battle and close a painful chapter in the school's history. “The survivors of the Strauss abuse are all Buckeyes, will always be a part of our family and our community, and I firmly believe that,” the school's president, Ravi Bellamkonda, said during the meeting. “We continue to be very grateful to them for their courage in coming forward, and reaching a final resolution is very important to us and is an important step forward.”
Read Next Story

Related Stories

Ohio State trustees OK $100M settlement with hundreds of former students abused by doctor

Trump’s Education Department is backing away from addressing civil rights for Black students

9 students appear in court over Kenya school arson that killed 16 girls