The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Key Takeaways
- The Canvas hack, orchestrated by the ShinyHunters ransomware group, exposed billions of messages and data from 275 million individuals.
- Instructure, the company behind Canvas, has partially restored access to the platform but is unclear about any ransom payment.
- Professor Ian Linkletter, a digital librarian with extensive experience in education technology, characterized the breach as “the biggest student data privacy disaster in history,” emphasizing its scale and the sensitive nature of what was stolen.
In your email to me, you said you’ve worked in EdTech for 20 years and this is the biggest student data privacy disaster in history. I’m curious what sort of made you frame it that way.
At about 1:20 PM [Pacific time, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in; some senior administration at schools are in meetings talking about whether they need to cancel finals next week. It’s just the implications are on everything because schools are reliant on this learning management system for everything—communications, grading, finals, everything.
Because the contents of messages got leaked, it’s really easy for phishing attacks to get customized. Like, Canvas got hacked and continuing our conversation type of thing you can get some really personal information from people. And that’s also new.
I supported instructors that used Canvas. And so I would hear these stories like students are telling you that people died [to explain absences]. There’s personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, like all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people, there’s a lot of harm that’s going to happen.
My biggest concern right now is monitoring the institutional response. I feel very strongly that students should have been warned about this like days ago. And it just took this second hack where students got something in their face notifying them that really made schools respond. So I believe that students need to be warned or else they’re going to get harmed. And the longer schools wait to tell students about what’s going on, even the little that they know, the more stress and chaos and potential risk to student privacy and safety is at stake.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.