The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
What We Know So Far
Thursday afternoon, millions of students across thousands of universities and K-12 schools were locked out of Canvas, a widely-used piece of education technology software that serves as the primary platform for class communications, assignments, lectures, discussion boards, and more. ShinyHunters, a ransomware group, breached Canvas’s parent company and reportedly stole “billions” of messages and accessed data belonging to over 275 million individuals, according to the hacking group. The group also locked students out of Canvas. Later on Thursday, Instructure, which develops Canvas, managed to mostly restore access to Canvas; however, it is unclear whether the company paid a ransom or not. The breach underscores the risks associated with centralizing educational and personal data in a single service.
The Hack’s Implications
Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations, which includes names, email addresses, student ID numbers, and messages among Canvas users.” Instructure also mentioned that it was breached twice—once on April 29 and again on Thursday. Soon after the hack, I reached out to Ian Linkletter, a digital librarian specializing in emerging education technology who has worked in EdTech for over two decades and is known for exposing privacy concerns in Proctorio.
Linkletter’s Perspective
404 Media: What do we know about the hack so far?
At around 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning users to change their passwords if logged in; right now, it just seems like everyone is in panic mode, with senior administrators at schools discussing whether finals next week need to be canceled. It’s all about the implications for everything because schools rely on Canvas for communications, grading, and more.
In your email to me, you mentioned this is the biggest student data privacy disaster in history. What made you frame it that way?
When I worked with Blackboard [a similar piece of tech] back then, and when we switched to Canvas in 2017 at the University of British Columbia, this was a shift from these scrappy little self-hosted learning management system apps that were on Canadian servers to trusting a U.S. tech company for all our data. The idea was that it would be just as safe with them as when we had it ourselves.
What’s happening now is something I’ve never seen before—this type of hack where everything went down and so much was stolen, and it happened to everyone across every institution. It makes me think this could only happen if Instructure had access to all the data from every single user, which doesn’t seem necessary.
I can also imagine messages between students and teachers being pretty sensitive.
There were instructors using Canvas who would hear stories like this: students reporting personal circumstances, medical conditions, accessibility accommodations, disputes, sexual assault allegations. If that information is out there across hundreds of millions of people, the potential for harm is significant.
What will you be monitoring as this plays out?
I’m most concerned about how schools are responding to this breach. Students should have been warned days ago; they’re in panic mode now because of the second hack that affected students directly. I believe students need to be informed so they can prepare for what’s happening, but if schools keep waiting and tell them only little bits at a time, there could be more stress and chaos, as well as potential risks to student privacy and safety.
Key Takeaways
- The Canvas hack represents the biggest student data privacy disaster in history due to its scale and sensitivity of stolen information.
- Schools should have been warned about the breach days ago, but only after the second hack that affected students directly did institutions start taking action.
- Centralizing educational and personal data in a single service poses significant risks, as seen with this Canvas hack. Students need to be informed of the situation so they can prepare for potential harm.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.