Schools reach out to Canvas hackers as breach hits US classrooms, source says

Some schools and universities affected by an April breach of the educational tool Canvas, in which a cybercriminal group stole student data, reportedly tried to negotiate directly with the hackers to stop the data from being released, a source told Reuters on Friday.

ShinyHunters, a hacking group known for a series of data theft and extortion campaigns against major global companies, claimed in a May 3 post on its website that it had stolen about 6.65 terabytes of Canvas data from nearly 9,000 schools worldwide, including student names, email addresses, and private messages between students, teachers, and staff.

Student newspapers nationwide reported this week that the hack has been causing major disruptions as students gear up for end-of-year tasks and assignments. The software, used by schools to manage classwork, share information, and send messages between students and faculty, has been heavily impacted.

On May 5, the group posted a message saying that Canvas parent company, Instructure, had “not even ​bothered speaking to us” to prevent a data leak, and that their demand “was not even as high as you might think it is.” ​The message included a list of roughly 1,400 individual schools and districts, and invited the schools to contact them to negotiate and prevent data from being posted.

The Cornell Daily Sun reported Friday that a Canvas hack disrupted students as they were trying to study for final exams.

Instructure announced in a May 1 post on its ​support website that it was investigating a cybersecurity incident. A post the next day, signed by Chief Information Security Officer Steve Proud, ​said the “information involved” included Canvas user names, email addresses, student ID numbers and messages among users. In a May 6 update, the company said ‌the situation ⁠was resolved and that Canvas was fully operational.

On May 7, students at multiple schools reported attempting to log into Canvas and finding a note from ShinyHunters with a link to the list of affected schools. Instructure pulled Canvas, Canvas Beta and Canvas Test offline a short time later, but restored access to Canvas four hours later.

Canvas Beta and Canvas Test remain in “maintenance mode,” according to Instructure’s support site.

ShinyHunters ​pulled both messages off its ​website as of May 7, ⁠replacing them with a message saying they were “not commenting and have no further comment to make regarding this global incident.” A group representative declined to answer questions from Reuters sent via online chat.

Extortion ​and ransomware groups pull claims about victims off their websites for any number of reasons, including ​sometimes that a target ⁠has paid or is in negotiations.

A note sent to parents from the South Orange-Maplewood School District Friday said the security breach occurred April 25 and that Instructure detected unauthorized activity April 29.

Montgomery County Public Schools in Maryland told students, staff and families in an email Friday that ⁠Canvas ​was returning to service, but that the district was continuing to restrict access out ​of an abundance of caution “until all services have been reviewed and confirmed safe for use.”