Massive data breach affects schools using Canvas nationwide; Penn reportedly impacted

A cyberattack on Canvas, a widely used web-based learning platform owned by Instructure, has exposed data from millions of students and faculty across thousands of U.S. schools and universities, including the University of Pennsylvania. The hackers, identified as Shinythunters, posted a warning on Penn’s Canvas page, demanding institutions contact them by May 12 to prevent data release. The breach has affected K-12 schools and higher education institutions nationwide, with exposed information including names, email addresses, student IDs, and internal communications. While highly sensitive data like Social Security numbers and passwords remain uncompromised, experts warn that the leaked details could fuel targeted scams, including phishing attacks. Students at Penn report no official communication from the university, though some are aware of the breach through reports. Charles Shen, a junior, noted Canvas’s central role in academic life, while Sarah Parmet, a freshman, described a growing desensitization to cyber incidents. Rob D’Ovidio, a Drexel University cybersecurity expert, emphasized the severity of the attack, calling it ‘sector-wide’ due to Canvas’s near-universal adoption in education. The hackers are demanding ransom payments from affected institutions, threatening to release the data if demands are not met. Cybersecurity professionals advise against paying ransom and instead recommend monitoring accounts for suspicious activity. The University of Pennsylvania has not yet responded to requests for comment, leaving students and staff reliant on broader expert guidance as the situation develops.