Canvas, an instructional platform used by school districts and higher education institutions across the United States, is out of commission.
Instructure, the parent company of Canvas, placed the software in “maintenance mode” while it investigates the cause of the shutdown, which occurred amidst finals week for many students.
All final exams, including in-person exams “are canceled and will not be rescheduled,” said a 10 p.m., Thursday email to Boise State University students.
“We do not yet have a confirmed timeline for restoration and are actively working through contingency planning and next steps,” said the email, from Boise State Dean of Students Christian Wuthrich.
Most, if not all, of Idaho’s colleges and universities use Canvas in some capacity. Boise State, the College of Western Idaho and the University of Idaho use the platform. Some K-12 districts use it as well.
Two days prior to the shutdown, Instructure confirmed a data breach by hackers. A hacking group called ShinyHunters claimed responsibility for the breach.
ShinyHunters defaced Canvas login pages for some schools, TechCrunch reports.
After the COVID pandemic, schools have faced an onslaught of ransomware attacks, according to reporting by The 74. A 2022 cybersecurity survey found that 80% of responding schools had suffered ransomware attacks. The national education news outlet’s research suggested that hackers often target schools because of their willingness to pay ransoms, with hackers calling the payouts “all but guaranteed.”
Schools that face ransomware attacks often do so under a veil of secrecy, Wired and The 74 reported. Specialized lawyers act as middlemen, hiring the cybersecurity and crisis communication professionals and shielding it under attorney-client privilege. The result is often a months- or years-long delay, before data breach victims receive notification from schools that their sensitive information has been exposed.
The message published on some schools’ login pages said ShinyHunters will release sensitive data by Tuesday if schools do not “negotiate a settlement.”
After the first breach earlier this week, Instructure reported that hackers did not access sensitive information like passwords, dates of birth, government identifiers, or financial information.
