Colleges and universities nationwide are dealing with major disruptions to final exams after hackers targeted Canvas, a widely-used online learning platform. The cyber attack occurred during one of the most stressful times of the academic year when students and faculty depend on the system for testing, grades, and course materials.
Instructure, which owns Canvas, announced late Thursday that service had been restored for most users following the security breach.
According to Luke Connolly, a cybersecurity analyst with Emsisoft, the hacking collective known as ShinyHunters took credit for the attack. By Friday, Canvas and Instructure were no longer listed on the website where ShinyHunters posts information about their targets.
Despite the restoration, some educational institutions continue restricting Canvas access as a precautionary measure while they evaluate potential security risks.
Canvas serves as a central hub for academic activities, functioning as a digital gradebook, repository for lecture materials and videos, discussion forum for class projects, and communication tool between educators and students.
Many courses also conduct quizzes and tests through the platform, or require students to submit final assignments and research papers through the system by specific deadlines.
Connolly explained that ShinyHunters operates as a loosely organized group of teen and young adult cybercriminals from the United States and United Kingdom, previously connected to major breaches including the Ticketmaster incident. The group’s website describes their activities as “rooting your systems since ’19,” referring to gaining unauthorized access to computer networks’ core systems.
This week, ShinyHunters threatened to release sensitive information from approximately 9,000 educational institutions and 275 million individuals unless schools paid their ransom demands by a May 6 deadline. The group later pushed back this deadline, suggesting some institutions had begun negotiating with them.
Educational institutions have become attractive targets for ransomware criminals due to the vast amounts of personal data they maintain on students, faculty, and staff. These attacks can target individual school districts, such as those in Minneapolis or Los Angeles, or strike third-party platforms like Canvas and PowerSchool that schools increasingly depend on for scheduling, coursework, and testing.
While most schools have regained Canvas access, the timing during finals week will likely cause ongoing complications throughout the remainder of the academic period.
The University of Massachusetts at Dartmouth announced it would delay Friday and Saturday examinations to give students additional time to access study materials that were unavailable during the system outage.
The University of Illinois postponed all Friday, Saturday, and Sunday exams for every course, including those that don’t typically use Canvas.
Montgomery County Public Schools in Maryland maintained restricted Canvas access on Friday, stating they were proceeding “with an abundance of caution while we work to better understand the full impact of the incident and any potential vulnerabilities involving information connected to the platform.”
