Elizabeth Polo was in a creative writing class at the University of Maryland on Thursday afternoon when a classmate shouted, “Canvas was hacked.” A message from a hacker collective appeared on his computer screen.
“Our whole class was crazy about it,” said Polo, a junior. “Our poor teacher was trying to calm everyone down, but it was kind of chaos.”
Across academia, the outage sparked panic and confusion as students and faculty were locked out of a platform they rely on to manage grades and access course grades and assignments. Universities rushed to reschedule final exams when students lost their way to access the materials they needed to study.
Instructure, the company behind Canvas, said in a update thursday night that the system was available to the majority of users. Instructure has not posted about the attack on its social media, and the company did not immediately respond to emails from The Associated Press asking if it paid a ransom and what happened to the compromised data.
Rich in digitized data, the country’s schools are main targets for remote criminal hackers, who assiduously locate and collect confidential files that not long ago were stored on paper in locked cabinets. Past attacks have affected Minneapolis Public Schools and the Los Angeles Unified School District.
Hackers breached data days before outage
A hacking group called ShinyHunters claimed responsibility for the Canvas breach, said Luke Connolly, a threat analyst at cybersecurity firm Emsisoft. The hacking group posted online that nearly 9,000 schools around the world were affected and billions of private messages and other records were accessed, Connolly said.
The message that appeared on Polo’s computer screen urged individual schools to contact the hacking group directly to negotiate a settlement and threatened to leak data if they did not do so. He said Canvas later deleted that message and replaced it with a message saying the site was undergoing scheduled maintenance.
Just before 1 a.m. on Friday, Polo was able to submit an assignment on Canvas, but is now concerned that his personal data may have been compromised.
On Thursday, “Instructure discovered that the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers logged in,” Instructure said Friday in a statement. “Out of an abundance of caution, we immediately took Canvas offline to contain access and investigate further.”
Instructure, the company behind Canvas, said it confirmed that the unauthorized actor exploited an issue related to its Free-For-Teacher accounts. The company has temporarily closed those accounts.
Canvas crashed just as deadlines approached
The interruption occurred just as the deadline for semester-long projects arrived in one of Gwyneth Doland’s journalism classes at the University of New Mexico.
“They were a little hyperventilating,” recalled Doland, who extended the deadlines. “None of these platforms are foolproof. I’m glad they learned that lesson.”
That the attack occurred as the finals approached was no surprise to Huseyin Can Yuceel, security research leader at Picus Labs.
“Timing is everything, because they want to inflict as much pain as possible,” he said, “so they can extort money from you.”
Teachers said they had to find solutions to help students study for exams and submit final assignments. Some schools, such as the University of Texas at San Antonio, announced they would delay final exams scheduled for Friday in response to the disruption.
Rod Uzat, professor of Educational Leadership at the University of Texas Permian Basin, delayed the release of grades by one day.
“The concern is for those of us who were qualifying if there is anything left,” Uzat said.
Rhongho Jang, a computer science professor at Wayne State University in Detroit, was finalizing grades for a class of 94 students when the system went down. It retains hard copies of student exams, but all semester assignments, which make up half of the final grade, are completed online.
If those assignments and grades couldn’t be made up, Jang would have given his students all the credit.
“I didn’t want to penalize them,” he said. “We can’t judge based on data we don’t have. The ultimate responsibility remains with the server.”
Reliance on technology makes schools vulnerable
The breach highlighted how much schools rely on digital platforms from outside companies to keep their operations running.
“It all comes down to concentration risk,” said Joseph Blankenship, vice president and director of research at Forrester. He said any space, including education, is particularly vulnerable when there are only one or perhaps two key vendors hosting essential technology.
Allan Liska of cybersecurity firm Recorded Future said the outage appeared deliberate, not a glitch, and that Instructure was trying to determine how widespread the problem was and make sure the hackers were no longer inside its system.
“There is no indication at this time that any ransom has been paid,” Liska said. “And it’s probably still too early for a ransom to have been paid. You know, normally these negotiations go on for a while.”
Connolly described ShinyHunters as a loose membership of teens and young adults based in the United States and the United Kingdom. The group has also been linked to other attacks, including Ticketmaster subsidiary of Live Nation. ShinyHunters posted online that it was not commenting on the Canvas incident.
ShinyHunters, or an affiliate, was also behind an earlier, smaller Instructure breach, Liska said. Sometimes small breaches reveal weaknesses that threat actors then exploit in future breaches, said Yuceel, who compared it to a leak on a ship.
“You fixed it, but you already have the water in the boat,” he said.
___
This story has been updated to correct the name of the cybersecurity company to Emsisoft, not Emisoft. ___
Associated Press writer Wyatte Grantham-Philips contributed to this report.
___
Associated Press education coverage receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP standards to work with philanthropic organizations, a list of supporters and funded coverage areas on AP.org.