A widespread outage affecting Canvas, an online platform integral to managing exams, course materials, and grades, has disrupted final exam periods at schools and universities across the United States. The disruption, which was caused by a cyberattack, struck during the high-stress finals season when students and instructors depend heavily on the platform.
Recovery Underway
By late Thursday, Instructure, the parent company of Canvas, announced that the platform had been restored for most users. The hacking group ShinyHunters claimed responsibility for the breach, according to Luke Connolly, a threat analyst at cybersecurity firm Emsisoft. As of Friday, Instructure and Canvas no longer appeared on a site where ShinyHunters lists its targets. However, some schools have continued to block access to Canvas as a precaution while assessing security threats.
What is Canvas?
Canvas is a learning management system used by educational institutions to handle nearly all aspects of instruction. It functions as a digital gradebook, a repository for lecture videos and course notes, a discussion board for collaborative projects, and a messaging tool for communication between students and instructors. Many courses also administer quizzes and exams through the platform or use it as a submission portal for final projects and papers.
Who is ShinyHunters?
ShinyHunters is a loosely organized group of teenage and young adult hackers based in the United States and the United Kingdom. They have been linked to other large-scale cyberattacks, including one on Ticketmaster. On their target list page, the group describes itself as “rooting your systems since ‘19,” a reference to gaining deep access to computer systems. Earlier this week, ShinyHunters threatened to leak data from nearly 9,000 schools and 275 million individuals unless a ransom was paid by May 6. The group later extended the deadline, indicating that some schools had entered negotiations.
Impact on Students
Although most schools have restored access to Canvas, the disruptions during finals week are expected to have lingering effects. The University of Massachusetts at Dartmouth postponed exams scheduled for Friday and Saturday to allow students time to review course materials that were inaccessible during the outage. The University of Illinois postponed all exams scheduled for Friday, Saturday, and Sunday, regardless of whether courses used Canvas. Montgomery County Public Schools in Maryland continued to limit access to Canvas on Friday, citing an abundance of caution while working to understand the full impact and potential vulnerabilities.
Schools and universities, which hold vast amounts of personally identifiable information on students, teachers, and employees, have become prime targets for ransomware attacks. Attackers often target individual districts or external vendor platforms like Canvas and PowerSchool, which educational systems increasingly rely on for scheduling, courses, and exams.
