A web-based learning management system containing teachers’ and students’ data across North Carolina and the United States is back online after being breached, with one group claiming responsibility for the breach.
On Thursday, a hacker group called “ShinyHunters” said it was responsible for a data breach of Instructure, which manages Canvas. The group said it would release data it acquired through the breach unless it was paid a ransom.
“Instead of contacting us, to resolve it, they ignored us and did some ‘security patches,'” the group wrote in the note.
The group said affected schools could negotiate a settlement and had until May 12 to do so.
What happened?
Instructure said it first detected unauthorized activity in Canvas on April 29. After noticing the activity, it said it revoked the intruder’s access and began working with outside forensic experts.
On May 5, it said it notified impacted schools.
On May 7, it said it found more unauthorized activity tied to the April 29 incident. Someone changed pages that appeared when students and teachers logged in to Canvas. Instructure said it took Canvas offline so it could investigate and contain the activity.
The company said it notified law enforcement, including the FBI, U.S. Cybersecurity and Infrastructure Security Agency and international partners.
“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” Instructure said.
The company said on Friday Canvas was brought back online and is available to use again without the free-for-teacher accounts.
“As we respond to this incident, we’re focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data,” Instructure said.
The company has set up website with updates on the breach at this link.
How are schools affected by the breach?
Canvas is used to manage grades, course notes, assignments, lecture videos and more. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed. It has been used in all public K-12 schools in the state since 2015.
Several school systems in North Carolina — both K-12 and university level, were impacted, including:
- University of North Carolina at Chapel Hill
- North Carolina Central University
- North Carolina A&T University
- Durham Public Schools
- Orange County Schools
- Cumberland County Schools
- Wake County Public School System
- East Carolina University
- Duke University
- Wake Forest University
- Fayetteville State University
- Johnston County Public Schools
- Franklin County Schools
- Wilson County Schools
The North Carolina Department of Public Instruction said it removed Canvas’ access to NCEdCloud, its sign-on portal, “until NCDPI deems it is safe to do so.” Teachers and students will not be able to access Canvas through NCEdCloud until then, and the state did not say when it expects that to happen.
“This is a necessary step to protect North Carolina data and schools,” NCDPI said.
Durham Public Schools said it was unsure about the full scope of the breach’s impact. Based on the information Instructure provided them, Durham school leaders believe personal data could have been accessed — including names, email addresses and student ID numbers. That includes staff, student and parent accounts.
“We are continuing to review updates and assess any potential impact to our district. If additional information becomes available that directly affects DPS users, we will share updates promptly,” DPS said.
A spokesperson for the Wake County Public School System confirmed some students in the district received the same ransom message, adding that all the high schools in Wake County use Canvas. The district then removed access to Canvas within the Wake ID Portal and told staff and students not to use the application, for now.
“I went onto the WakeID. I’ve looked for the app, and I couldn’t find it,” said Kate Lovette, a sixth grader in the district. “I text my friends, ‘Where is it?’ Then I looked at the website, and it was shut down.”
Will Burgess, a teacher and a parent in the district, said the tool being down with finals coming up is not his most pressing concern.
“I’m more concerned about my personal information, if it’s been accessed,” Burgess said.
Several school systems in North Carolina — both K-12 and university level, were impacted, including:
WCPSS said Instructure notified the district about the breach on Tuesday, though it was unsure of what information was taken.
When asked what the district will do if Canvas is still shut down on Friday, a spokesperson for WCPSS said: “Our teachers will do what they do every day, continue delivering exceptional instruction.”
Burgess said that while the disruption is frustrating, he and other teachers will adapt the best they can until it’s resolved.
“It is nothing that Wake County could have done or the school, or as a teacher, we could not have planned for this,” Burgess said. “So we will just roll with it. Hopefully, everything comes back to normal.”
Cumberland County Schools said instruction is happening through “alternative methods” until access to Canvas is restored.
How are other schools handling the breach across the US?
Several colleges and universities reported their Canvas apps were down, including the University of Pennsylvania and the University of Oklahoma.
Universities and school districts quickly began notifying students and parents.
“This is being reported as a national-level cyber-security incident,” the University of Iowa’s director of information technology wrote in announcing that the school’s online system was down. “Hopefully we will have a resolution soon.”
Virginia Tech acknowledged in a notice to students that the administration was aware of the effect on final exams and other end-of-semester activities.
“Additional guidance will be shared soon via email and posted on the university status page,” the school wrote.
The student newspaper at Harvard reported that the system was down there, too. And public school districts also sought to reassure parents, with officials in Spokane, Washington, writing that they aren’t “aware of any sensitive data contained in this breach.”
What to know about ‘ShinyHunters,’ the group behind the breach
Luke Connolly, a threat analyst at the cybersecurity firm Emisoft, described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including one aimed at Live Nation’s Ticketmaster subsidiary.
Screenshots he provided showed that the group began threatening Sunday to leak the trove of data, giving deadlines of Thursday and May 12. Connolly said the later date indicates that discussions regarding extortion payments may be ongoing.
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.
Not the first time a vendor for NC schools was targeted
This isn’t the first time student data has been impacted by a data breach. PowerSchool, a company that provides data services across the globe with data storage for more than 60 million students between more than 18,000 customers and more than 90 countries, was involved in a data breach on Dec. 28, 2024.
PowerSchool later said it paid a ransom to the hacker responsible for the breach and watched a video of the hacker deleting the data they stole, according to people who were on the call. However, cybersecurity analysts said more state schools could face extortion attempts in the wake of the attack.
In August, the State Board of Education transferred all of the student and staff data it had on PowerSchool to Infinite Campus for its statewide system.
In response to the ransom note, Nick Tripp, Duke’s chief information security officer, told WRAL News it is monitoring the situation, adding that Instructure told the university that there was no indication that passwords, dates of birth, government identifiers or finanical information were involved.
WRAL Education Insider Emily Walkenhorst, WRAL reporters Destinee Patterson and Willie Daniely, and The Associated Press contributed to this report.
Click Here For The Original Source.
