The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Thursday afternoon, millions of students at thousands of universities and K-12 schools were locked out of Canvas, a piece of catch-all education technology software that has become the de facto core of many classes. ShinyHunters, a ransomware group, hacked Canvas’ parent company and apparently stole “billions” of messages and accessed over 275 million individuals’ data, according to the hacking group. The group also locked students out of Canvas.
Later Thursday, Instructure, which makes Canvas, was able to mostly put Canvas back online; it is not clear if the company paid a ransom or not. The breach demonstrates the danger in centralizing the educational and personal data of millions of students in a single service. Canvas is essentially a portal where teachers post assignments and lectures, have discussion boards, and students can message with each other and their teachers and connect with other pieces of education tech software.
Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations.” That includes names, email addresses, student ID numbers, and messages among Canvas users. Instructure also noted that it was breached twice—once on April 29 and again on Thursday.
Soon after the hack, I called up Ian Linkletter, a digital librarian specializing in emerging education tech, to talk about the implications of the breach. Linkletter has worked in education tech for 20 years and over the last few years has become known for exposing privacy concerns in Proctorio, a remote test proctoring software that rose to prominence during the early days of the COVID-19 pandemic. Linkletter was sued by Proctorio but eventually the case was dropped.
Linkletter told me the Canvas hack is “the biggest student data privacy disaster in history” in part because of its scale and the sensitive nature of what was stolen. This is my conversation with Linkletter, which has been lightly condensed.
Key Takeaways
- The Canvas hack exposed over 275 million individuals’ personal information including names, email addresses, student ID numbers, and messages among users.
- Instructure noted that the breach occurred twice, on April 29 and again on Thursday.
- Linkletter described this as “the biggest student data privacy disaster in history,” highlighting the danger of centralizing educational and personal data in a single service like Canvas.
- The hack demonstrates the need for better institutional response to such breaches, with students potentially being harmed by lack of timely warnings about what had gone wrong.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.