The Canvas Hack and Its Implications

Thursday afternoon, millions of students at thousands of universities and K-12 schools were locked out of Canvas, a piece of catch-all education technology software that has become the de facto core of many classes. ShinyHunters, a ransomware group, hacked Canvas’ parent company and apparently stole “billions” of messages and accessed more than 275 million individuals’ data, according to the hacking group.

Later Thursday, Instructure, which makes Canvas, was able to mostly put Canvas back online; it is not clear if the company paid a ransom or not. The breach demonstrates the danger in centralizing the educational and personal data of millions of students in a single service.

Canvas is essentially a portal where teachers post assignments and lectures, have discussion boards, and students can message with each other and their teachers and connect with other pieces of education tech software. Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations.” That includes names, email addresses, student ID numbers, and messages among Canvas users.

Instructure also noted that it was breached twice—once on April 29 and again on Thursday. Soon after the hack, I called up Ian Linkletter, a digital librarian specializing in emerging education tech, to talk about the implications of the breach.

Key Takeaways

• The Canvas hack is “the biggest student data privacy disaster in history” due to its scale and the sensitive nature of what was stolen.
• This type of widespread data leak can lead to phishing attacks, exposing personal information such as medical circumstances or sexual assault allegations.
• Students should have been warned about this breach days ago, but schools waited until students were affected before responding, potentially putting them at risk.