Owen Burlingame’s Advanced Placement (AP) Physics exam was six days out. He grabbed his headphones and sat at his desk to start on his classwork. Burlingame was ready to go, but he wasn’t able to study that night. Canvas was inaccessible.
“I couldn’t even finish my physics homework that weekend,” Burlingame said.
For several hours on May 7, the online learning platform Canvas went down due to a security breach. Canvas is used by over 8,000 schools globally, according to their website, and, in many cases, it hosts curriculum resources, assignments, and communication between teachers and students. Burlingame, a senior at California High School in San Ramon, was among the students affected by the breach.
According to Instructure’s webinar FAQ, the attack was detected and disabled approximately 10 minutes after it began. Instructure was also assured by the cybercriminals that student data “would not be shared on the dark web or elsewhere.”
Canvas was “fully operational and safe to use” a day later, on May 8, according to an incident update. Not all schools returned to Canvas then, however.
“I use canvas for half of my classes, and my school took it down for three days,” said Brianna Bair, a senior at Academy of the Canyons in Santa Clarita, California.
The cybercriminal organization ShinyHunters claimed responsibility for the cyberattack, saying nearly 9,000 schools worldwide were affected and 275 million individuals’ data were in jeopardy, including private messages between teachers and students, according to a ransom note shared on the ransom monitoring site Ransomware.live. The attackers also posted a ransom note on roughly 300 institutional logins, according to Instructure’s webinar FAQ.
However, most of this data was not collected during the global Canvas outage on May 7, according to Instructure’s fact sheet. Instead, usernames, email addresses, and messages may have been compromised during an earlier attack on April 29. Attackers gained elevated access to student data after they exploited a Free-for-Teacher account.
“This first presented as a Canvas outage, so the first concern was about how long the outage might be,” said Barbara Reklis, the SUHSD Director of Instructional Technology. “Once we learned that it was a security incident, priorities shifted to investigating the extent of the breach and the impact on our learning communities.”
A day after the initial attack, on May 1, Instructure released an update on its incident report saying that there was a “cybersecurity incident perpetrated by a criminal threat actor.” Instructure said it “promptly revoked the unauthorized party’s access, started an investigation, and engaged outside forensics experts,” according to its incident fact sheet.
Instructure described the jeopardized data as “low-sensitivity,” stating that no passwords, medical information, or financial information was compromised during a webinar FAQ with the company.
Instructure notified its users of the attack on its incident report, but did not send a direct notification to students. Individual schools were left to notify students directly.
“I wasn’t really worried about my data because my school never said anything about it,” said Cassidy Ritter, a senior at Westview High School in San Diego.
After the same hacking group exploited a second vulnerability on May 7, Canvas went into maintenance mode as Instructure worked to “contain the breach and apply safeguards,” according to its security incident update page.
“The district monitored the impacts of the recent incident to ensure students and staff continue to have what they need,” Reklis said.
Canvas’s abrupt absence was more noticeable than the attack on April 29th, particularly as students across the nation were preparing for AP exams and finals. Losing access to Canvas disrupted many students’ access to their materials.
“We take proctored tests on Canvas, so we had a bunch of things delayed,” said Emma Petersen, a junior at Laguna Beach High School in Laguna Beach.
At Carlmont High School, biology teacher Melissa Hero uses Canvas as a home base for classroom resources.
“I have all of my assignments, videos, documents, and quizzes on other platforms. Canvas is not meant to be the only copy of content,” Hero said. “Canvas is used more as an access point, which has all of a class’s content in one easy location.”
For Hero, because access to classroom materials isn’t tied to Canvas, the breach was inconvenient, but could be worked around. Across America, teachers kept the classroom moving through emailed lectures and alternative third-party platforms.
“My teachers ended up going on paper,” Petersen said.
Different schools use Canvas to varying degrees, so the breach didn’t have a uniform impact on Californian students.
“I had a lot of friends in college who were complaining about it,” said Kai Matsumoto, a senior at Los Alamitos High School in Los Alamitos. “But I don’t think it did much.”
After Instructure allegedly paid a ransom on May 8, the national learning platform went back online for most students.
“There have been so many data breaches over the years,” Hero said. “It seems inevitable that it would happen with tools used in education as well. I don’t think any online platform is 100% secure.”
The cyberattack occurred because hackers exploited a bug, or software weakness, in Canvas’s software on an international scale. Another software bug was found at the local scale. Rather than a data security issue, a local student identified and reported a separate Canvas vulnerability to the district technology team around the time of the broader breach. Reklis contacted Canvas to collaborate on a solution and resolve this vulnerability.
“An incident like this is a great time to reflect on existing practices and make improvements as necessary,” Reklis said. “A platform change requires in-depth feedback from those who would be most impacted by the change. We keep students’ and teachers’ needs first.”
Primarily using a single platform for education, such as Canvas, creates new possibilities. Security bugs can compromise academic integrity if exploited, and security vulnerabilities can be used by threat actors to leak private student information. However, Canvas makes it possible to centralize learning for thousands of students, benefiting students themselves and those who support them.
“Canvas makes organizing content easy and makes content easily available to students and parents,” Hero said. “I am not sure that I would choose to walk away from a platform like Canvas.”
When personal data is shared online, it is unlikely that any company can guarantee its security. Most modern software that handles personal data also carries the risk that the data may be compromised, even if the odds are high. A centralized online classroom may introduce new security vulnerabilities, but by reporting weaknesses and staying aware of data security, our district continues to prioritize teachers’ and students’ needs.
“We all need to be vigilant in protecting our digital data,” Reklis said. “Benefits are always weighed against potential risks; we evaluate the balance. This is a responsibility we take very seriously in order to maintain safety.”
