After The Canvas Hack, Here’s What Students And Colleges Should Do Next

On May 7, 2024, students at the University of Maryland discovered their Canvas accounts locked out during finals week, disrupting access to study materials. The hack, attributed to the group ShinyHunters, forced students to rely on social media for updates, as the university’s official alert came late. A data hostage message from the hackers, posted on Barstool Maryland’s Instagram, demanded the cancellation of finals. The outage affected over 50% of North American higher education institutions using Canvas, including all Ivy League schools. For students like Andreas Burstein, a junior majoring in economics and finance, the disruption caused stress and uncertainty, especially for those with upcoming exams. While Canvas was restored by Friday morning, the incident highlighted colleges’ over-reliance on third-party platforms and their lack of preparedness for cyberattacks. The University of Maryland stated in its FAQs that it has daily data backups to an archival server, though this did not help students during the outage. Cybersecurity experts, including Cliff Steinhauer of the National Cybersecurity Alliance, warned that colleges prioritize attack prevention over incident response planning. Steinhauer emphasized the need for regular incident-response exercises to improve readiness. The hack also underscored risks tied to third-party vendors, despite expectations of security from platforms like Canvas. In 2023, the Clop ransomware gang exploited vulnerabilities in MOVEit, signaling ongoing threats. Experts urged universities to reassess their dependency on external systems and strengthen risk management protocols to prevent future disruptions.