Post-secondary institutions in Ontario, including the University of Toronto, are among thousands of schools impacted by a cybersecurity incident involving learning software Canvas.
Instructure, Canvas’s U.S.-based parent company, first posted about a breach “by a criminal threat actor” on its website on May 1.
A post on May 2 indicated that some identifying information of Canvas users, such as names, email address, student ID numbers and messages, may have been impacted. But there was no evidence of passwords, government or financial information being taken, according to Steve Proud, the company’s chief information security officer.
So far CBC News has confirmed that five Ontario schools have been affected by the breach: the University of Toronto, Western’s Ivey Business School, OCAD University, Mohawk College and Ontario Tech University. U of T, OCAD and Ontario Tech said winter terms are complete, so there was no impact on classes.
“As far as I can tell, this is the largest educational IT hack in history,” said David Shipley, CEO of Beauceron Security. “This is an incredibly destructive attack.”
Instructure said Wednesday that Canvas was fully operational with no ongoing unauthorized activity and the company was in contact with impacted customers to provide support. Shipley said it appears hackers behind that first breach returned on Thursday to extract more data, deface login pages and send notes to schools and students demanding payment.
In an email on Friday, Infrastructure spokesperson Brian Watkins said the company discovered that the “unauthorized actor” in the security incident made changes to the pages that appeared when some students and teachers were logged into Canvas. It immediately took Canvas offline to investigate, he said.
“We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts,” he said, adding those accounts have been temporarily shut down.
“This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
Data breaches, hacks and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are helpful steps you can take to protect yourself in the wake of a data breach, and to prepare for the next time it happens.
The Associated Press reported Thursday that Canvas was offline again for several hours, but that it wasn’t clear if the system had been hacked or if Instructure had taken it down as a precaution.
Canvas is used by schools to share classroom material, such as lecture videos, notes and assignments, and to distribute grades.
U of T halts program access as precautionary measure
A U of T community update on Thursday said the university’s learning management software Quercus would be unavailable until further notice due to the cybersecurity incident. The school said that it is in contact with the company to find a resolution.
On Friday, the university said it stopped the program as a precautionary measure and did not recommend students attempt to access it. It said other U of T systems were not compromised.
U of T also said it has reported the incident to the Information and Privacy Commissioner of Ontario.
OCAD University informed students Thursday night of a service disruption to the Canvas Cloud program due to the security incident. It said the school is actively monitoring the situation.
The university has “restored access to Canvas” and warned of possible phishing messages asking for personal information or passwords,” said OCAD in a statement Friday.
A notice on Ontario Tech’s website also notified students and staff of the issue, saying the school was working with Instructure’s cybersecurity specialists to monitor the situation.
The university said all systems and learning platforms are working as usual, but that any suspicious activity should be reported to the service desk.
In an email on Friday, Ontario Tech’s IT department said the information potentially involved is limited to names, institutional email addresses, student or ID numbers, and course-related messages exchanged within Canvas and there is no indication that financial information, passwords, or other university systems were affected.
“As a precaution, students and employees have been advised to remain vigilant against phishing emails and suspicious messages, to avoid sharing personal information through unsolicited communications, and to report suspicious activity to the IT Service Desk,” the department said.
“We do not anticipate a broad disruption to students’ studies. The university will continue to monitor the situation and will provide further updates to students, employees and the broader campus community as needed.”
Watkins said Canvas has since been restored for Ontario Tech.
Hamilton-based Mohawk College was notified earlier this week of the cybersecurity incident and Canvas was temporarily unavailable on Thursday, said school spokesperson Sean Coffey.
He said Instructure had shared that passwords, single sign-on credentials, birth dates, addresses and financial information were not affected in the breach.
Two schools in B.C., the University of British Columbia and Simon Fraser University (SFU), and the University of Alberta are also amongst those impacted.
An SFU spokesperson said in an email that around 9,000 learning institutions around the world have been affected by the “systems breach.”
Hacking group claims Canvas attack: analyst
A hacking group, known as the ShinyHunters, claimed responsibility for the Canvas breach, Luke Connolly, a threat analyst with cybersecurity firm Emisoft, told the Associated Press.
The group is described as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom, said Connolly.
Shipley said the group is a “data extortion gang” behind some of the “greatest hacks” over the last few years, including the breach into Telus and UK company Marks and Spencer.
Connolly provided the Associated Press with screenshots showing ShinyHunters making threats on Sunday that they would leak data. The group gave “deadlines” of Thursday and May 12, which Connolly said may indicate discussions are ongoing regarding extortion payments.
USA Today reported Friday that a ransom letter from the group had been shared online on Sunday by Ransomware.live, a website that tracks ransomware groups.
The letter stated data from over 275 million people had been accessed across 9,000 schools and that the information would be leaked if payment was not provided.
Read the full article here