Hackers demand ransom after breaching major Canvas learning program used by schools and colleges nationwide

A cyberattack on Instructure’s Canvas learning management system has exposed data from nearly 9,000 schools worldwide, including major U.S. universities and K-12 districts. The hacker group ShinyHunters claimed responsibility on Thursday, threatening to release stolen records unless schools and universities pay a ransom by May 12. The breach impacts institutions like the University of North Carolina-Chapel Hill, University of Pennsylvania, University of Illinois, and University of Oklahoma, which rely on Canvas for daily operations. The group accused Instructure of ignoring their initial contact and applying only ‘security patches’ instead of resolving the issue. Luke Connolly, a threat analyst at Emisoft, confirmed the hackers posted screenshots online, detailing their access to billions of private messages and records. Wake County Public School System in North Carolina reported Instructure notified them of the breach but could not confirm what data was accessed, leading the district to temporarily disable Canvas on Thursday. Duke University’s Chief Information Security Officer, Nick Tripp, stated there was ‘no indication’ that passwords, dates of birth, government identifiers, or financial information were compromised. However, the attack underscores the vulnerability of digitized school records, which hackers increasingly target for sensitive data once stored securely in physical files. This follows previous cyberattacks on large school districts, including Minneapolis Public Schools and the Los Angeles Unified School District. The incident has raised concerns about the security of educational institutions’ digital infrastructure and the potential long-term impact on student privacy and academic operations.