Cyberattack Disrupts Canvas Education Platform, Affecting Thousands of Schools

The hacking group ShinyHunters claimed in a May 3 statement that it had obtained about 6.65 terabytes of Canvas data from 9000 schools worldwide. On May 8 students and staff logging into the platform encountered a ransom note demanding payment in bitcoin by May 12 or the group would leak the stolen information which it said included names email addresses student ID numbers and private messages.

Canvas which supports more than 30 million active users from kindergartens to Ivy League universities was taken offline Thursday afternoon after the intrusion. Its parent company Instructure based in Utah said it had detected unauthorized activity on April 29 immediately revoked access started an investigation engaged outside forensic experts and notified law enforcement.

Instructure posted an update saying the platform was available for most users though some institutions continued reporting outages into Friday and Saturday.

Universities responded with a range of adjustments as final exam season overlapped with the outage. Penn State canceled exams scheduled for Thursday night and Friday at its Pollock Testing Center before restoring service Friday afternoon. The University of Illinois postponed final exams and due work for Friday Saturday and Sunday.

Mississippi State University pushed Friday final exams to Saturday after students taking a 2900-word meteorology essay saw the ransom note appear on their screens. The University of Tennessee moved all Friday finals to Saturday while Rutgers University canceled Friday finals on its New Brunswick campus with no immediate makeup date announced.

The University of Sydney told students Canvas was unavailable and instructed them not to log in while it awaited further guidance from Instructure. The University of British Columbia and University of Toronto in Canada also reported being affected along with institutions in the Netherlands Sweden the United Kingdom and elsewhere.

Students described immediate confusion and anxiety. One meteorology student at Mississippi State said her knee-jerk reaction was that she had been hacked herself until she read the ransom note and realized the entire class and professor had the same message.

A Rutgers University sophomore studying civil engineering said the platform handles every aspect of academic life from viewing course materials to communicating with professors and checking grades. Many out-of-state students who planned to leave campus immediately after finals found their departure schedules thrown into limbo.

A University of Iowa political science professor who was locked out of grading papers for nine hours used the incident as a live teaching moment during a lecture on cyberattacks and modern warfare. She noted that students now had personal experience with terms such as denial of service.

An MIT MBA student said the outage prompted her to weigh the convenience of centralized digital services against their security risks though she acknowledged most people prioritize day-to-day ease. The FBI issued a warning Friday advising people not to respond to unsolicited contacts claiming to hold their data or demanding payment.

The agency stated that receiving such a message does not necessarily mean personal information has been compromised and recommended awaiting formal guidance from educational institutions.

“If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. The group posted messages as early as May 5 stating that Instructure had not responded to its demands which it described as not as high as might be expected. Instructure confirmed the breach in a statement saying it took immediate steps to contain the activity brought in outside forensic experts and notified law enforcement. It remains unclear whether any ransom was paid or what the group plans to do with the data it claims to possess. The incident comes as concerns grow over cybersecurity vulnerabilities in education and other sectors that rely on centralized digital platforms. One professor observed that the event illustrated how a single breach could degrade services and create broader problems for financial systems electrical grids and other critical infrastructure when attacks become more sophisticated. Universities including Harvard the University of Chicago UCLA Columbia and Georgetown adjusted deadlines or temporarily disabled access while the University of Cambridge suspended Canvas on Friday. Many institutions advised students to print materials as a precaution and to ignore suspicious messages. The University of Alberta in Canada reported partial restoration with reduced functionality on Saturday while the University of Sydney said the platform had been restored but was not yet accessible to staff or students pending further checks.”

“This goes to show how vulnerable schools are, how vulnerable other institutions are by individuals who seek to exploit or extort at the worst possible time – armed with just a keyboard and a mouse.”