The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Key Takeaways
- The Canvas hack, orchestrated by the ransomware group ShinyHunters, exposed billions of messages and personal data for over 275 million individuals.
- Instructure, the company behind Canvas, managed to partially restore access to the platform but is not clear on whether a ransom was paid.
- The breach highlights the risks associated with centralizing educational and student data in a single service.
- Ian Linkletter, a digital librarian specializing in education technology, emphasized that this hack represents the biggest student data privacy disaster in history due to its scale and sensitivity of stolen information.
Thursday afternoon, millions of students across thousands of universities and K-12 schools were locked out of Canvas, an all-in-one educational software used by many institutions. The ransomware group ShinyHunters breached Canvas’s parent company and reportedly stole “billions” of messages and accessed data for over 275 million individuals, according to the hacking group according to ShinyHunters. The group also locked students out of Canvas. Later that day, Instructure, which makes Canvas, was able to mostly put Canvas back online; it is not clear if the company paid a ransom or not. The breach demonstrates the danger in centralizing educational and personal data of millions of students in a single service. Canvas serves as a portal where teachers post assignments, lectures, have discussion boards, and students can communicate with each other and their teachers.
Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations,” which includes names, email addresses, student ID numbers, and messages among Canvas users. Instructure also noted that it was breached twice: once on April 29 and again on Thursday.
Soon after the hack, I called up Ian Linkletter, a digital librarian specializing in emerging education technology. Linkletter has worked in education tech for 20 years and over the last few years has become known for exposing privacy concerns in Proctorio, a remote test proctoring software that rose to prominence during the early days of the COVID-19 pandemic. Linkletter was sued by Proctorio but eventually the case was dropped.
Linkletter on the hack: At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in; some senior administration at schools are in meetings talking about whether they need to cancel finals next week. It’s just the implications are on everything because schools are reliant on this learning management system for everything—communications, grading, finals, everything.
At first, I supported Blackboard [a similar piece of tech] way back in the day and then I supported Canvas from about 2017 to 2022 when I worked at the University of British Columbia. And what I was there for when we switched to Canvas in 2017 was the shift from like these scrappy little self-hosted learning management system apps that would be on Canadian servers to this centralized, all eggs-in-one basket faith in a U.S. tech company. This idea that our data would be just as safe with them as it was when we had it. And because this move to the cloud happened so suddenly about 10 years ago, all of a sudden data got centralized. The only way I can think of that this type of hack where everything went down, where so much was stolen would be if Instructure had access to everybody’s data. This is something that we’ve never seen before.
Because the contents of messages got leaked, it really easy for phishing attacks to get customized. Like, Canvas got hacked and continuing our conversation type of thing you can get some really personal information from people. And that’s also new. I supported instructors that used Canvas. And so I would hear these stories like students are telling you that people died [to explain absences]. There’s personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people there’s a lot of harm that’s going to happen.
My biggest concern right now is monitoring the institutional response. I feel very strongly that students should have been warned about this like days ago. And it just took this second hack where students got something in their face notifying them that really made schools respond. So I believe that students need to be warned or else they’re going to get harmed. The longer schools wait to tell students about what’s going on, even the little that they know, the more stress and chaos and potential risk to student privacy and safety is at stake.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.