The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Key Takeaways
- The Canvas hack, orchestrated by the ransomware group ShinyHunters, exposed billions of messages and 275 million individuals’ data.
- Instructure, the company that makes Canvas, was able to partially restore access to the platform but is not clear on whether a ransom was paid.
- The breach demonstrates the risks associated with centralizing educational and personal data in a single service like Canvas.
- Experts warn of potential phishing attacks and harm due to sensitive messages being leaked, including those between students and teachers.
In my conversation with Ian Linkletter, a digital librarian specializing in education technology, he emphasized that this is the biggest student data privacy disaster in history:
At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message. Some institutions were warning people to change their passwords if they were logged in. It’s just the implications are on everything because schools rely on Canvas for communications, grading, finals, and more.
What I was there when we switched to Canvas in 2017 was the shift from these scrappy little self-hosted learning management system apps that would be on Canadian servers to this centralized, all eggs-in-one basket faith in a U.S. tech company. This idea that our data would be just as safe with them as it was when we had it.
Because of the move to the cloud happening so suddenly about 10 years ago, all of a sudden data got centralized. The only way I can think of for this type of hack where everything went down and so much was stolen would be if Instructure had access to everybody’s data, which doesn’t seem necessary.
Because the contents of messages got leaked, it’s really easy for phishing attacks to get customized. Like, Canvas got hacked, and continuing our conversation type of thing you can get some really personal information from people. And that’s also new.
I supported instructors that used Canvas. And so I would hear these stories like students are telling you that people died [to explain absences]. There’s personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people, there’s a lot of harm that’s going to happen.
Linkletter also highlighted his concerns about how institutions are responding to this breach and stressed the importance of warning students immediately about what’s happening. He believes that even with limited knowledge, schools should have been more proactive in informing their student populations sooner rather than later.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.