UBC, SFU among thousands of universities affected by Canvas software cyber breach | #hacker

The University of British Columbia (UBC) and Simon Fraser University (SFU) are among thousands of learning institutions around the world that say a cyber breach of the Canvas learning software could affect students’ personal information.

A UBC network status page said on Thursday afternoon that any students still logged in to the software — which is used to access course information, submit assignments and participate in discussions — should log out until they’re notified it’s safe to access the software again.

The network status page said that the university first became aware of a “cyber-related incident” involving Instructure, Canvas’s U.S.-based parent company, late Tuesday afternoon.

An SFU spokesperson said around 9,000 learning institutions around the world have been affected by the “systems breach.”

“Information that may have been involved includes names, email addresses, student ID numbers and messages among Canvas users,” the spokesperson wrote in an email.

The University of Toronto, Ontario College of Art and Design University and the University of Alberta have also been affected by the breach.

WATCH | What you can do to protect yourself if you’ve been hacked:

How to know if you’ve been hacked — and what you can do to protect yourself

Data breaches, hacks and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are helpful steps you can take to protect yourself in the wake of a data breach, and to prepare for the next time it happens.

The UBC page advises students who logged into Canvas on Thursday afternoon to change their password.

“We recommend that faculty, staff, and students continue to be vigilant against phishing and follow best practices for protecting their accounts and data, including using strong passwords and enabling multi-factor authentication where available,” the page reads.

Instructure said it immediately took Canvas offline when it discovered an “unauthorized actor” had made changes to pages seen by students and teachers who were logged in, according to an emailed statement.

The company said the unauthorized actor had exploited an issue related to its Free-For-Teacher accounts, which have been temporarily shut down.

“This gives us the the confidence to restore access to Canvas, which is now fully back online and available for use,” said Instructure. “We regret the inconvenience and concern this may have caused.”

Instructure said on its incident website it initially detected unauthorized activity in Canvas on April 29, when it revoked that party’s access and started an investigation.

Those affected should be wary: expert

Robert Xiao, an associate professor of computer science at UBC, said instructors at the school may consider their teaching materials as proprietary intellectual property — and those materials could now be in the hands of hackers.

“Students are uploading their own project materials, their homework, their solutions, things like that,” he told CBC News.

“In the wrong hands, this could potentially be compromising for academic integrity, among other things.”

Xiao said anyone affected by the cyber breach should be wary of emails and communications in the days to come, given that attackers could be using leaked information for phishing purposes.

CBC News has reached out to the student unions at UBC and SFU.

UBC and SFU are B.C.’s two biggest universities by student enrolment.