The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Key Takeaways
- The Canvas hack, orchestrated by the ShinyHunters ransomware group, exposed billions of messages and more than 275 million individuals’ data.
- Instructure, Canvas’s parent company, was able to mostly restore access to Canvas but did not disclose whether they paid a ransom.
- Canvas serves as a central hub for educational activities like assignments, lectures, discussion boards, and student-teacher communication. The breach affected millions of students at thousands of institutions.
- Ian Linkletter, a digital librarian with expertise in education tech privacy concerns, categorized the Canvas hack as “the biggest student data privacy disaster in history.” He emphasized the scale and sensitivity of what was stolen, including personal information like names, email addresses, student ID numbers, and messages between users.
What Do We Know About the Hack So Far?
Ian Linkletter: At about 1:20 PM [Pacific], people started posting screenshots to Reddit of this breach message that they were getting. Some institutions were cautioning students to change their passwords if they were logged in, as it seems like everyone is in panic mode now—some senior administration at schools are in meetings discussing whether finals need to be canceled next week. It’s just the implications are on everything because schools rely so heavily on Canvas for communications, grading, and other educational activities.
Why Is This Considered the Biggest Student Data Privacy Disaster?
Linkletter: I’ve worked in EdTech for 20 years, supporting Blackboard way back in the day. When we switched to Canvas around 10 years ago, it was a big shift from self-hosted learning management systems to this centralized all-egg-in-one-basket faith in a U.S. tech company. The only way I can think of that this type of hack where everything went down and so much was stolen would be if Instructure had access to everybody’s data, which doesn’t seem necessary. For it to be just so widespread across every customer is something we’ve never seen before.
What Are the Implications for Students?
Linkletter: The contents of messages got leaked, making phishing attacks more personalized and easier. If that information is out there—messages between students and teachers being pretty sensitive—the potential harm can be significant. For example, instructors might receive personal information about absences, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, or other sensitive topics.
What Will You Be Monitoring?
Linkletter: My biggest concern right now is monitoring the institutional response. I believe students should have been warned days ago. It just took this second hack where students got something in their face notifying them about what’s going on for schools to respond. The longer schools wait, even if they only know a little bit, the more stress and chaos they could cause, as well as potential risks to student privacy and safety.
ShinyHunters, a ransomware group, hacked Canvas’s parent company and apparently stole “billions” of messages and accessed more than 275 million individuals’ data, according to the hacking group. The group also locked students out of Canvas. Instructure was able to mostly put Canvas back online but did not disclose whether they paid a ransom or not. The breach demonstrates the danger in centralizing the educational and personal data of millions of students in a single service. Canvas serves as a central hub for educational activities like assignments, lectures, discussion boards, and student-teacher communication. The hack affected millions of students at thousands of institutions. Ian Linkletter, a digital librarian with expertise in education tech privacy concerns, categorized the Canvas hack as “the biggest student data privacy disaster in history.” He emphasized the scale and sensitivity of what was stolen, including personal information like names, email addresses, student ID numbers, and messages between users.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.