Data breach shuts down Canvas, stalls finals

A data breach targeting Canvas, an online learning platform used by 41% of higher education institutions in North America, caused widespread disruptions during finals season. The platform experienced outages on May 7, forcing Texas State University to advise faculty and students to rely on alternative communication methods, such as university emails, for assignments and exams. Texas State’s chief information security officer, Dan Owen, confirmed the university had not received a ransom demand and was not among the 9,000 affected institutions listed by the hacker group ShinyHunters. However, Owen acknowledged the possibility of a breach, noting that exposed data includes names, email addresses, student IDs, and messages. Canvas, operated by Instructure, was initially hit on May 1, with ShinyHunters claiming access to professor and student data. While the platform was partially restored by May 7, Student ePortfolios remained inaccessible. Owen stated that no Texas public university or state agency would pay a ransom, though Instructure might consider it. He emphasized that while the disclosed information is not financial, it still poses risks, including potential phishing attempts. Texas State’s IT Advisory Council (ITAC) urged users to remain vigilant against suspicious emails and report any phishing attempts. Faculty were instructed to download gradebooks from Canvas and make accommodations for students affected by the disruption. Aswath, the university’s Provost and Executive Vice President of Academic Affairs, warned that further outages could occur and advised flexibility in communication with students. The breach highlights the vulnerability of educational institutions relying on third-party platforms for critical operations. With finals underway, the disruption has strained academic workflows, though efforts are underway to mitigate the impact.