Thousands of schools around the globe, including in Canada, have been hit by a massive cybersecurity incident involving Canvas, an online learning-management system that connects millions of students with their instructors.
Post-secondary institutions including the University of Toronto, University of British Columbia, the University of Alberta and Western University’s Ivey Business School are among the affected Canvas users.
Here’s what we know about the breach.
What kind of data?
At universities, colleges and some K-12 schools, instructors use Canvas to share a wide range of material with students, from course notes and assignments to media and exams. They can also use it to communicate and share grades or other updates.
So, the data involved may include full names, email addresses, student numbers and personal messages, according to Instructure, the makers of Canvas.
The company said it detected unauthorized activity on April 29, accessed through a particular type of teacher account. Though the company revoked that access, it took the platform offline to investigate on Thursday when additional activity was detected.
Instructure said it has not found evidence that passwords, financial information or government-issued identification details have been compromised.
About 9,000 universities around the world, including in Canada, were hit by a cyberattack targeting the learning management platform Canvas. Schools are now scrambling to determine the extent of the compromised data.
How can that data be used?
The breach is “very concerning,” said Luke Connolly, an Ottawa threat intelligence analyst at cybersecurity firm Emsisoft, since “there’s all sorts of ways that the information can be put to bad use.”
From a hacker’s perspective, schools are an ideal target since students are “at the very beginning of their financial journey,” without major loans or debts, said Robert Falzon, Check Point Software’s head of engineering for Canada.
Given the multiple breaches across different sectors and services providers in recent years, he said information from this Canvas incident could be combined with data leaked elsewhere to build profiles for creating false identities.
“Those identities in turn can be used to look for loans or take out mortgages or … in various different types of financial crime,” Falzon said.
And in some cases, he said it could take someone “years to discover that they’ve been victimized this way.”
Canvas, a program used by postsecondary schools across Canada, has been hit by hackers. A group called ShinyHunters is claiming responsibility — and asking for a ransom. Emsisoft threat intelligence analyst Luke Connolly lays out what we know.
What is ShinyHunters?
A hacker group called ShinyHunters has claimed responsibility for the cyberattack, which it claims has compromised the personal info of 275 million people, including students, teachers and school staff.
The group, which has previously been tied to breaches at Ticketmaster and Google’s Salesforce database, has threatened to publicly release the stolen data unless paid an undisclosed sum as a “settlement.”
What are students saying?
With many U.S. colleges in the midst of finals, a flurry of students shared via TikTok the ShinyHunters missive that greeted them Thursday as they tried to log into Canvas.
In Canada, where many universities just wrapped the spring exam period, some students shared their confusion over the incident — like logging in before noticing a school email about the breach urging them not to.
“I kind of logged in [automatically] this morning,” said Deborah Elezaj, an undergrad studying at the University of Toronto. “Now we’re being told to change our passwords.”
Having personal info leaked is “a nerve-wracking thought,” said her classmate Emily Saso.
What’s happening at individual schools?
Some of the affected schools have suspended or discouraged use of Canvas (as at U of A, UBC and U of T), while others have returned to using the since-restored platform. Most have sent messages advising people to be wary of suspicious emails.
“We recommend that faculty, staff and students remain vigilant against phishing emails,” U of T posted online Friday afternoon.
“Remember, the university will never ask you to bypass your multi-factor authentication. If you receive an email requesting MFA bypass codes, please report it.”
The institutions are victims in “an awful bind,” said David Shipley, CEO of Beauceron Security in Fredericton.
“This is a company they depend on to deliver services that they could not afford to do or deliver themselves digitally.”
Connolly is wary about any schools considering paying a ransom for the data — a move he says fuels a domino effect. “It encourages the criminals to continue to look for new victims,” he said, “and the payments actually fund their development of new techniques” to exploit others.
Who’s responsible for our data?
Cybersecurity “is everybody’s problem,” said Falzon.
Schools “have a responsibility to make sure that they are using the best tools possible, that they are following protocols … and to protect the students that are using those services,” he said.
Meanwhile, third-party vendors “have an obligation and responsibility to make sure the services they are providing are safe and secure.”
It’s not enough to have cybersecurity audits every once in a while, with breaches “happening on a daily basis now,” Falzon said.
“We need to start thinking very seriously about shortening those cycles and … making sure we’re engaging the community and our partners for awareness, so that everybody understands what the risks to them are, and how they can be a part of the solution.”
Cybersecurity expert Robert Falzon, Canadian head of engineering at Check Point Software Technologies, shares his top three tips of what students and staff impacted by the Canvas cyber incident should be doing next.
Meanwhile, Shipley wants to see stronger federal privacy laws and “meaningful consequences” for companies involved in breaches, similar to the hefty fines firms can face in Europe.
“Companies that actually face these kinds of sanctions up front, they will risk manage better,” he said. “Absent consequences, profit-oriented private companies are going to make money. They’re not going to spend on security.”
How can you protect yourself?
Students and staff face a tricky situation since they don’t typically have a say about vendors their schools pick, nor can they easily opt out of using them, Falzon said.
However, he does recommend changing passwords regularly, switching on multi-factor authentication if you haven’t already and informing your bank if you’re part of a breach, plus signing up for credit monitoring.
Folks should also reconsider how much personal info they’re sharing on social media, he said, such as, “where you live, courses you’re taking, things like that.”
